Описание
Security update for ruby2.5
This update for ruby2.5 fixes the following issues:
- CVE-2024-35221: Fixed remote denial of service via YAML manifest (bsc#1225905)
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15 SP6
libruby2_5-2_5-2.5.9-150000.4.49.1
ruby2.5-2.5.9-150000.4.49.1
ruby2.5-devel-2.5.9-150000.4.49.1
ruby2.5-devel-extra-2.5.9-150000.4.49.1
ruby2.5-stdlib-2.5.9-150000.4.49.1
openSUSE Leap 15.6
libruby2_5-2_5-2.5.9-150000.4.49.1
ruby2.5-2.5.9-150000.4.49.1
ruby2.5-devel-2.5.9-150000.4.49.1
ruby2.5-devel-extra-2.5.9-150000.4.49.1
ruby2.5-doc-2.5.9-150000.4.49.1
ruby2.5-doc-ri-2.5.9-150000.4.49.1
ruby2.5-stdlib-2.5.9-150000.4.49.1
Ссылки
- Link for SUSE-SU-2025:02814-1
- E-Mail link for SUSE-SU-2025:02814-1
- SUSE Security Ratings
- SUSE Bug 1225905
- SUSE CVE CVE-2024-35221 page
Описание
Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.
Затронутые продукты
SUSE Linux Enterprise Module for Basesystem 15 SP6:libruby2_5-2_5-2.5.9-150000.4.49.1
SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-2.5.9-150000.4.49.1
SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-devel-2.5.9-150000.4.49.1
SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-devel-extra-2.5.9-150000.4.49.1
Ссылки
- CVE-2024-35221
- SUSE Bug 1225905