Advisories » MGASA-2020-0285

Updated ruby packages fix security vulnerability

Publication date: 07 Jul 2020
Modification date: 07 Jul 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-10933

Description

Updated ruby packages fix security vulnerability:

An issue was discovered in Ruby through 2.5.7. If a victim calls
BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method
resizes the buffer to fit the requested size, but no data is copied. Thus, the
buffer string provides the previous value of the heap. This may expose possibly
sensitive data from the interpreter (CVE-2020-10933).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26409
• https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/
• https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10933

SRPMS

7/core

• ruby-2.5.8-21.mga7