ruby: Security fixes for CVE-2021-31810/CVE-2021-32066
CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.” References: https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/ https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ Patches from: https://github.com/ruby/ruby/commit/bf4d05173c7cf04d8892e4b64508ecf7902717cd https://github.com/ruby/ruby/commit/e2ac25d0eb66de99f098d6669cf4f06796aa6256 Signed-off-by:Yi Zhao <yi.zhao@windriver.com> Signed-off-by:
Loading
Please register or sign in to comment