{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"rubygem-excon security update", "category":"general", "title":"Synopsis" }, { "text":"An update for rubygem-excon is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.", "category":"general", "title":"Summary" }, { "text":"EXtended http(s) CONnections.\n\nSecurity Fix(es):\n\nIn RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.(CVE-2019-16779)", "category":"general", "title":"Description" }, { "text":"An update for rubygem-excon is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"rubygem-excon", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2021-1420", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1420" }, { "summary":"CVE-2019-16779", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2019-16779&packageName=rubygem-excon" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16779" }, { "summary":"openEuler-SA-2021-1420 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2021/csaf-openeuler-sa-2021-1420.json" } ], "title":"An update for rubygem-excon is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2", "tracking":{ "initial_release_date":"2021-11-05T09:23:48+08:00", "revision_history":[ { "date":"2021-11-05T09:23:48+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:23:48+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:23:48+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:23:48+08:00", "id":"openEuler-SA-2021-1420", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"openEuler-20.03-LTS-SP2", "name":"openEuler-20.03-LTS-SP2" }, "name":"openEuler-20.03-LTS-SP2", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"rubygem-excon-help-0.62.0-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"rubygem-excon-help-0.62.0-3.oe1.noarch.rpm" }, "name":"rubygem-excon-help-0.62.0-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"rubygem-excon-0.62.0-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"rubygem-excon-0.62.0-3.oe1.noarch.rpm" }, "name":"rubygem-excon-0.62.0-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"rubygem-excon-0.62.0-3.oe1.noarch.rpm(20.03-LTS-SP2)", "name":"rubygem-excon-0.62.0-3.oe1.noarch.rpm" }, "name":"rubygem-excon-0.62.0-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"rubygem-excon-help-0.62.0-3.oe1.noarch.rpm(20.03-LTS-SP2)", "name":"rubygem-excon-help-0.62.0-3.oe1.noarch.rpm" }, "name":"rubygem-excon-help-0.62.0-3.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"rubygem-excon-0.62.0-3.oe1.src.rpm(20.03-LTS-SP1)", "name":"rubygem-excon-0.62.0-3.oe1.src.rpm" }, "name":"rubygem-excon-0.62.0-3.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"rubygem-excon-0.62.0-3.oe1.src.rpm(20.03-LTS-SP2)", "name":"rubygem-excon-0.62.0-3.oe1.src.rpm" }, "name":"rubygem-excon-0.62.0-3.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"rubygem-excon-help-0.62.0-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:rubygem-excon-help-0.62.0-3.oe1.noarch", "name":"rubygem-excon-help-0.62.0-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"rubygem-excon-0.62.0-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:rubygem-excon-0.62.0-3.oe1.noarch", "name":"rubygem-excon-0.62.0-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"rubygem-excon-0.62.0-3.oe1.noarch.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:rubygem-excon-0.62.0-3.oe1.noarch", "name":"rubygem-excon-0.62.0-3.oe1.noarch as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"rubygem-excon-help-0.62.0-3.oe1.noarch.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:rubygem-excon-help-0.62.0-3.oe1.noarch", "name":"rubygem-excon-help-0.62.0-3.oe1.noarch as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"rubygem-excon-0.62.0-3.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:rubygem-excon-0.62.0-3.oe1.src", "name":"rubygem-excon-0.62.0-3.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"rubygem-excon-0.62.0-3.oe1.src.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:rubygem-excon-0.62.0-3.oe1.src", "name":"rubygem-excon-0.62.0-3.oe1.src as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2019-16779", "notes":[ { "text":"In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:rubygem-excon-help-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-excon-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP2:rubygem-excon-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP2:rubygem-excon-help-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-excon-0.62.0-3.oe1.src", "openEuler-20.03-LTS-SP2:rubygem-excon-0.62.0-3.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:rubygem-excon-help-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-excon-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP2:rubygem-excon-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP2:rubygem-excon-help-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-excon-0.62.0-3.oe1.src", "openEuler-20.03-LTS-SP2:rubygem-excon-0.62.0-3.oe1.src" ], "details":"rubygem-excon security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1420" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.9, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:rubygem-excon-help-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-excon-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP2:rubygem-excon-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP2:rubygem-excon-help-0.62.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-excon-0.62.0-3.oe1.src", "openEuler-20.03-LTS-SP2:rubygem-excon-0.62.0-3.oe1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2019-16779" } ] }