diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2021-09-14 16:57:17 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-09-17 21:31:37 +0100 |
commit | 033ba67e539a6109ebab8192c1ce76329ea36fcc (patch) | |
tree | ba5755fb89295a7d8d525a281cebf05342e0ae3a /meta/recipes-devtools/pkgconf | |
parent | 5dad70fedb5fc38dbbd498d668b95ea9dba48293 (diff) | |
download | poky-033ba67e539a6109ebab8192c1ce76329ea36fcc.tar.gz |
ruby: Security fixes for CVE-2021-31810/CVE-2021-32066
CVE-2021-31810:
A malicious FTP server can use the PASV response to trick Net::FTP into
connecting back to a given IP address and port. This potentially makes
Net::FTP extract information about services that are otherwise private
and not disclosed (e.g., the attacker can conduct port scans and service
banner extractions).
CVE-2021-32066:
Net::IMAP does not raise an exception when StartTLS fails with an
unknown response, which might allow man-in-the-middle attackers to
bypass the TLS protections by leveraging a network position between the
client and the registry to block the StartTLS command, aka a “StartTLS
stripping attack.”
References:
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
Patches from:
https://github.com/ruby/ruby/commit/bf4d05173c7cf04d8892e4b64508ecf7902717cd
https://github.com/ruby/ruby/commit/e2ac25d0eb66de99f098d6669cf4f06796aa6256
(From OE-Core rev: e14761916290c01683d72eb8e3de530f944fdfab)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/pkgconf')
0 files changed, 0 insertions, 0 deletions