ruby: Security fixes for CVE-2021-31810/CVE-2021-32066 - openembedded-core-contrib - OpenEmbedded Core user contribution trees

diff options

author	Yi Zhao <yi.zhao@windriver.com>	2021-09-14 16:57:17 +0800
committer	Anuj Mittal <anuj.mittal@intel.com>	2021-09-15 10:04:54 +0800
commit	e14761916290c01683d72eb8e3de530f944fdfab (patch)
tree	b173b864391e354271479c9a7fb2aab31566952f /meta/recipes-support/sqlite/sqlite3_3.35.0.bb
parent	567dd35d893c5d8969d41f263a24da8fbae3fc2f (diff)
download	openembedded-core-contrib-e14761916290c01683d72eb8e3de530f944fdfab.tar.gz

ruby: Security fixes for CVE-2021-31810/CVE-2021-32066

CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.” References: https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/ https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ Patches from: https://github.com/ruby/ruby/commit/bf4d05173c7cf04d8892e4b64508ecf7902717cd https://github.com/ruby/ruby/commit/e2ac25d0eb66de99f098d6669cf4f06796aa6256 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

Diffstat (limited to 'meta/recipes-support/sqlite/sqlite3_3.35.0.bb')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: