ALAS2022-2023-262

Amazon Linux 2022 Security Advisory: ALAS-2023-262
Advisory Release Date: 2023-01-20 16:43 Pacific
Advisory Updated Date: 2023-01-24 21:26 Pacific
Severity: Important
Issue Overview:

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. (CVE-2021-33621)


Affected Packages:

ruby3.1


Issue Correction:
Run dnf update ruby3.1 to update your system.

New Packages:
aarch64:
    ruby3.1-devel-3.1.3-173.amzn2022.0.1.aarch64
    ruby3.1-rubygem-rbs-debuginfo-2.7.0-173.amzn2022.0.1.aarch64
    ruby3.1-rubygem-bigdecimal-3.1.1-173.amzn2022.0.1.aarch64
    ruby3.1-debuginfo-3.1.3-173.amzn2022.0.1.aarch64
    ruby3.1-rubygem-psych-debuginfo-4.0.4-173.amzn2022.0.1.aarch64
    ruby3.1-rubygem-psych-4.0.4-173.amzn2022.0.1.aarch64
    ruby3.1-rubygem-bigdecimal-debuginfo-3.1.1-173.amzn2022.0.1.aarch64
    ruby3.1-rubygem-json-debuginfo-2.6.1-173.amzn2022.0.1.aarch64
    ruby3.1-bundled-gems-debuginfo-3.1.3-173.amzn2022.0.1.aarch64
    ruby3.1-libs-3.1.3-173.amzn2022.0.1.aarch64
    ruby3.1-rubygem-rbs-2.7.0-173.amzn2022.0.1.aarch64
    ruby3.1-rubygem-io-console-debuginfo-0.5.11-173.amzn2022.0.1.aarch64
    ruby3.1-libs-debuginfo-3.1.3-173.amzn2022.0.1.aarch64
    ruby3.1-bundled-gems-3.1.3-173.amzn2022.0.1.aarch64
    ruby3.1-3.1.3-173.amzn2022.0.1.aarch64
    ruby3.1-debugsource-3.1.3-173.amzn2022.0.1.aarch64
    ruby3.1-rubygem-io-console-0.5.11-173.amzn2022.0.1.aarch64
    ruby3.1-rubygem-json-2.6.1-173.amzn2022.0.1.aarch64

noarch:
    ruby3.1-rubygem-rexml-3.2.5-173.amzn2022.0.1.noarch
    ruby3.1-rubygems-3.3.26-173.amzn2022.0.1.noarch
    ruby3.1-rubygem-rss-0.2.9-173.amzn2022.0.1.noarch
    ruby3.1-rubygem-power_assert-2.0.1-173.amzn2022.0.1.noarch
    ruby3.1-rubygems-devel-3.3.26-173.amzn2022.0.1.noarch
    ruby3.1-default-gems-3.1.3-173.amzn2022.0.1.noarch
    ruby3.1-rubygem-test-unit-3.5.3-173.amzn2022.0.1.noarch
    ruby3.1-rubygem-rake-13.0.6-173.amzn2022.0.1.noarch
    ruby3.1-rubygem-typeprof-0.21.3-173.amzn2022.0.1.noarch
    ruby3.1-rubygem-minitest-5.15.0-173.amzn2022.0.1.noarch
    ruby3.1-rubygem-bundler-2.3.26-173.amzn2022.0.1.noarch
    ruby3.1-rubygem-irb-1.4.1-173.amzn2022.0.1.noarch
    ruby3.1-rubygem-rdoc-6.4.0-173.amzn2022.0.1.noarch
    ruby3.1-doc-3.1.3-173.amzn2022.0.1.noarch

src:
    ruby3.1-3.1.3-173.amzn2022.0.1.src

x86_64:
    ruby3.1-rubygem-bigdecimal-debuginfo-3.1.1-173.amzn2022.0.1.x86_64
    ruby3.1-devel-3.1.3-173.amzn2022.0.1.x86_64
    ruby3.1-debugsource-3.1.3-173.amzn2022.0.1.x86_64
    ruby3.1-libs-debuginfo-3.1.3-173.amzn2022.0.1.x86_64
    ruby3.1-bundled-gems-debuginfo-3.1.3-173.amzn2022.0.1.x86_64
    ruby3.1-rubygem-json-2.6.1-173.amzn2022.0.1.x86_64
    ruby3.1-rubygem-json-debuginfo-2.6.1-173.amzn2022.0.1.x86_64
    ruby3.1-rubygem-rbs-debuginfo-2.7.0-173.amzn2022.0.1.x86_64
    ruby3.1-rubygem-rbs-2.7.0-173.amzn2022.0.1.x86_64
    ruby3.1-libs-3.1.3-173.amzn2022.0.1.x86_64
    ruby3.1-rubygem-io-console-0.5.11-173.amzn2022.0.1.x86_64
    ruby3.1-debuginfo-3.1.3-173.amzn2022.0.1.x86_64
    ruby3.1-rubygem-bigdecimal-3.1.1-173.amzn2022.0.1.x86_64
    ruby3.1-3.1.3-173.amzn2022.0.1.x86_64
    ruby3.1-rubygem-io-console-debuginfo-0.5.11-173.amzn2022.0.1.x86_64
    ruby3.1-bundled-gems-3.1.3-173.amzn2022.0.1.x86_64
    ruby3.1-rubygem-psych-debuginfo-4.0.4-173.amzn2022.0.1.x86_64
    ruby3.1-rubygem-psych-4.0.4-173.amzn2022.0.1.x86_64

Additional References

Red Hat: CVE-2021-33621

Mitre: CVE-2021-33621