Описание
Security update for rubygem-bundler
This update for rubygem-bundler fixes the following issues:
- CVE-2020-36327: Fixed bundler choosing a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen (bsc#1185842)
Other fixes:
- Updated to version 2.2.34
Список пакетов
Container bci/ruby:latest
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
Container suse/rmt-server:latest
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
Image SLES15-SP4-SAP-BYOS
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
Image SLES15-SP4-SAP-BYOS-Azure
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Enterprise Storage 7.1
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise Module for Basesystem 15 SP6
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise Server 15 SP3-LTSS
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise Server 15 SP4-LTSS
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise Server 15 SP5-LTSS
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Linux Enterprise Server for SAP Applications 15 SP5
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Manager Proxy 4.3
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
SUSE Manager Server 4.3
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
openSUSE Leap 15.6
ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
ruby2.5-rubygem-bundler-doc-2.2.34-150000.3.11.1
Ссылки
- Link for SUSE-SU-2025:1294-1
- E-Mail link for SUSE-SU-2025:1294-1
- SUSE Security Ratings
- SUSE Bug 1185842
- SUSE CVE CVE-2020-36327 page
Описание
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
Затронутые продукты
Container bci/ruby:latest:ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
Container suse/rmt-server:latest:ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
Image SLES15-SP4-SAP-BYOS-Azure:ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
Image SLES15-SP4-SAP-BYOS:ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1
Ссылки
- CVE-2020-36327
- SUSE Bug 1185842