Описание
ELSA-2022-0545: ruby:2.5 security update (IMPORTANT)
rubygem-bundler [1.16.1-4]
- Fix Bundler dependency confusion. Resolves: CVE-2020-36327
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module ruby:2.5 is enabled
ruby
2.5.9-107.module+el8.5.0+20497+d0a7b862
ruby-devel
2.5.9-107.module+el8.5.0+20497+d0a7b862
ruby-doc
2.5.9-107.module+el8.5.0+20497+d0a7b862
ruby-irb
2.5.9-107.module+el8.5.0+20497+d0a7b862
ruby-libs
2.5.9-107.module+el8.5.0+20497+d0a7b862
rubygem-abrt
0.3.0-4.module+el8.3.0+7756+e45777e9
rubygem-abrt-doc
0.3.0-4.module+el8.3.0+7756+e45777e9
rubygem-bigdecimal
1.3.4-107.module+el8.5.0+20497+d0a7b862
rubygem-bson
4.3.0-2.module+el8.3.0+7756+e45777e9
rubygem-bson-doc
4.3.0-2.module+el8.3.0+7756+e45777e9
rubygem-bundler
1.16.1-4.module+el8.5.0+20497+d0a7b862
rubygem-bundler-doc
1.16.1-4.module+el8.5.0+20497+d0a7b862
rubygem-did_you_mean
1.2.0-107.module+el8.5.0+20497+d0a7b862
rubygem-io-console
0.4.6-107.module+el8.5.0+20497+d0a7b862
rubygem-json
2.1.0-107.module+el8.5.0+20497+d0a7b862
rubygem-minitest
5.10.3-107.module+el8.5.0+20497+d0a7b862
rubygem-mongo
2.5.1-2.module+el8.3.0+7756+e45777e9
rubygem-mongo-doc
2.5.1-2.module+el8.3.0+7756+e45777e9
rubygem-mysql2
0.4.10-4.module+el8.3.0+7756+e45777e9
rubygem-mysql2-doc
0.4.10-4.module+el8.3.0+7756+e45777e9
rubygem-net-telnet
0.1.1-107.module+el8.5.0+20497+d0a7b862
rubygem-openssl
2.1.2-107.module+el8.5.0+20497+d0a7b862
rubygem-pg
1.0.0-2.module+el8.3.0+7756+e45777e9
rubygem-pg-doc
1.0.0-2.module+el8.3.0+7756+e45777e9
rubygem-power_assert
1.1.1-107.module+el8.5.0+20497+d0a7b862
rubygem-psych
3.0.2-107.module+el8.5.0+20497+d0a7b862
rubygem-rake
12.3.3-107.module+el8.5.0+20497+d0a7b862
rubygem-rdoc
6.0.1.1-107.module+el8.5.0+20497+d0a7b862
rubygem-test-unit
3.2.7-107.module+el8.5.0+20497+d0a7b862
rubygem-xmlrpc
0.3.0-107.module+el8.5.0+20497+d0a7b862
rubygems
2.7.6.3-107.module+el8.5.0+20497+d0a7b862
rubygems-devel
2.7.6.3-107.module+el8.5.0+20497+d0a7b862
Oracle Linux x86_64
Module ruby:2.5 is enabled
ruby
2.5.9-107.module+el8.5.0+20497+d0a7b862
ruby-devel
2.5.9-107.module+el8.5.0+20497+d0a7b862
ruby-doc
2.5.9-107.module+el8.5.0+20497+d0a7b862
ruby-irb
2.5.9-107.module+el8.5.0+20497+d0a7b862
ruby-libs
2.5.9-107.module+el8.5.0+20497+d0a7b862
rubygem-abrt
0.3.0-4.module+el8.3.0+7756+e45777e9
rubygem-abrt-doc
0.3.0-4.module+el8.3.0+7756+e45777e9
rubygem-bigdecimal
1.3.4-107.module+el8.5.0+20497+d0a7b862
rubygem-bson
4.3.0-2.module+el8.3.0+7756+e45777e9
rubygem-bson-doc
4.3.0-2.module+el8.3.0+7756+e45777e9
rubygem-bundler
1.16.1-4.module+el8.5.0+20497+d0a7b862
rubygem-bundler-doc
1.16.1-4.module+el8.5.0+20497+d0a7b862
rubygem-did_you_mean
1.2.0-107.module+el8.5.0+20497+d0a7b862
rubygem-io-console
0.4.6-107.module+el8.5.0+20497+d0a7b862
rubygem-json
2.1.0-107.module+el8.5.0+20497+d0a7b862
rubygem-minitest
5.10.3-107.module+el8.5.0+20497+d0a7b862
rubygem-mongo
2.5.1-2.module+el8.3.0+7756+e45777e9
rubygem-mongo-doc
2.5.1-2.module+el8.3.0+7756+e45777e9
rubygem-mysql2
0.4.10-4.module+el8.3.0+7756+e45777e9
rubygem-mysql2-doc
0.4.10-4.module+el8.3.0+7756+e45777e9
rubygem-net-telnet
0.1.1-107.module+el8.5.0+20497+d0a7b862
rubygem-openssl
2.1.2-107.module+el8.5.0+20497+d0a7b862
rubygem-pg
1.0.0-2.module+el8.3.0+7756+e45777e9
rubygem-pg-doc
1.0.0-2.module+el8.3.0+7756+e45777e9
rubygem-power_assert
1.1.1-107.module+el8.5.0+20497+d0a7b862
rubygem-psych
3.0.2-107.module+el8.5.0+20497+d0a7b862
rubygem-rake
12.3.3-107.module+el8.5.0+20497+d0a7b862
rubygem-rdoc
6.0.1.1-107.module+el8.5.0+20497+d0a7b862
rubygem-test-unit
3.2.7-107.module+el8.5.0+20497+d0a7b862
rubygem-xmlrpc
0.3.0-107.module+el8.5.0+20497+d0a7b862
rubygems
2.7.6.3-107.module+el8.5.0+20497+d0a7b862
rubygems-devel
2.7.6.3-107.module+el8.5.0+20497+d0a7b862
Связанные CVE
Связанные уязвимости
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes choos ...
