{"schema_version":"1.7.2","id":"OESA-2024-1938","modified":"2024-08-02T11:08:43Z","published":"2024-08-02T11:08:43Z","upstream":["CVE-2024-35221"],"summary":"ruby security update","details":"Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nRubygems.org is the Ruby community\u0026apos;s gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.(CVE-2024-35221)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"ruby","purl":"pkg:rpm/openEuler/ruby\u0026distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.2-142.oe2403"}]}],"ecosystem_specific":{"aarch64":["rubygem-bigdecimal-3.1.3-142.oe2403.aarch64.rpm","rubygem-json-2.6.3-142.oe2403.aarch64.rpm","ruby-3.2.2-142.oe2403.aarch64.rpm","ruby-debugsource-3.2.2-142.oe2403.aarch64.rpm","rubygem-io-console-0.6.0-142.oe2403.aarch64.rpm","ruby-devel-3.2.2-142.oe2403.aarch64.rpm","ruby-bundled-gems-3.2.2-142.oe2403.aarch64.rpm","rubygem-psych-5.0.1-142.oe2403.aarch64.rpm","ruby-debuginfo-3.2.2-142.oe2403.aarch64.rpm","rubygem-openssl-3.1.0-142.oe2403.aarch64.rpm","rubygem-rbs-2.8.2-142.oe2403.aarch64.rpm"],"noarch":["rubygem-did_you_mean-1.6.3-142.oe2403.noarch.rpm","rubygem-rexml-3.2.5-142.oe2403.noarch.rpm","rubygem-test-unit-3.5.7-142.oe2403.noarch.rpm","ruby-irb-3.2.2-142.oe2403.noarch.rpm","rubygem-minitest-5.16.3-142.oe2403.noarch.rpm","rubygems-3.4.10-142.oe2403.noarch.rpm","rubygems-devel-3.4.10-142.oe2403.noarch.rpm","rubygem-rake-13.0.6-142.oe2403.noarch.rpm","rubygem-rdoc-6.5.0-142.oe2403.noarch.rpm","ruby-help-3.2.2-142.oe2403.noarch.rpm","rubygem-rss-0.2.9-142.oe2403.noarch.rpm","rubygem-typeprof-0.21.3-142.oe2403.noarch.rpm"],"src":["ruby-3.2.2-142.oe2403.src.rpm"],"x86_64":["rubygem-rbs-2.8.2-142.oe2403.x86_64.rpm","rubygem-json-2.6.3-142.oe2403.x86_64.rpm","ruby-3.2.2-142.oe2403.x86_64.rpm","rubygem-openssl-3.1.0-142.oe2403.x86_64.rpm","ruby-debuginfo-3.2.2-142.oe2403.x86_64.rpm","ruby-bundled-gems-3.2.2-142.oe2403.x86_64.rpm","rubygem-io-console-0.6.0-142.oe2403.x86_64.rpm","ruby-debugsource-3.2.2-142.oe2403.x86_64.rpm","ruby-devel-3.2.2-142.oe2403.x86_64.rpm","rubygem-psych-5.0.1-142.oe2403.x86_64.rpm","rubygem-bigdecimal-3.1.3-142.oe2403.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/security-bulletins/detail?id=openEuler-SA-2024-1938"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35221"}],"database_specific":{"severity":"Medium"}}