ALAS-2020-1416


Amazon Linux 1 Security Advisory: ALAS-2020-1416
Advisory Release Date: 2020-08-10 23:07 Pacific
Advisory Updated Date: 2020-08-12 17:53 Pacific
Severity: Medium

Issue Overview:

An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats. (CVE-2018-16396)

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. (CVE-2020-10663)


Affected Packages:

ruby20


Issue Correction:
Run yum update ruby20 to update your system.

New Packages:
i686:
    ruby20-libs-2.0.0.648-1.33.amzn1.i686
    ruby20-debuginfo-2.0.0.648-1.33.amzn1.i686
    rubygem20-psych-2.0.0-1.33.amzn1.i686
    ruby20-2.0.0.648-1.33.amzn1.i686
    rubygem20-io-console-0.4.2-1.33.amzn1.i686
    ruby20-devel-2.0.0.648-1.33.amzn1.i686
    rubygem20-bigdecimal-1.2.0-1.33.amzn1.i686

noarch:
    rubygems20-2.0.14.1-1.33.amzn1.noarch
    rubygems20-devel-2.0.14.1-1.33.amzn1.noarch
    ruby20-doc-2.0.0.648-1.33.amzn1.noarch
    ruby20-irb-2.0.0.648-1.33.amzn1.noarch

src:
    ruby20-2.0.0.648-1.33.amzn1.src

x86_64:
    ruby20-libs-2.0.0.648-1.33.amzn1.x86_64
    rubygem20-io-console-0.4.2-1.33.amzn1.x86_64
    rubygem20-psych-2.0.0-1.33.amzn1.x86_64
    ruby20-devel-2.0.0.648-1.33.amzn1.x86_64
    ruby20-debuginfo-2.0.0.648-1.33.amzn1.x86_64
    ruby20-2.0.0.648-1.33.amzn1.x86_64
    rubygem20-bigdecimal-1.2.0-1.33.amzn1.x86_64