ALAS-2020-1423


Amazon Linux AMI Security Advisory: ALAS-2020-1423
Advisory Release Date: 2020-08-26 23:09 Pacific
Advisory Updated Date: 2020-08-31 20:20 Pacific
Severity: Medium
References: CVE-2020-10663 

Issue Overview:

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269 , but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. (CVE-2020-10663 )


Affected Packages:

rubygem-json


Issue Correction:
Run yum update rubygem-json to update your system.

New Packages:
i686:
    rubygem21-json-1.8.3-1.53.amzn1.i686
    rubygem20-json-1.8.3-1.53.amzn1.i686
    rubygem22-json-1.8.3-1.53.amzn1.i686
    rubygem23-json-1.8.3-1.53.amzn1.i686
    rubygem-json-debuginfo-1.8.3-1.53.amzn1.i686
    rubygem20-json-doc-1.8.3-1.53.amzn1.i686
    rubygem23-json-doc-1.8.3-1.53.amzn1.i686
    rubygem21-json-doc-1.8.3-1.53.amzn1.i686
    rubygem18-json-doc-1.8.3-1.53.amzn1.i686
    rubygem22-json-doc-1.8.3-1.53.amzn1.i686
    rubygem18-json-1.8.3-1.53.amzn1.i686

src:
    rubygem-json-1.8.3-1.53.amzn1.src

x86_64:
    rubygem23-json-1.8.3-1.53.amzn1.x86_64
    rubygem18-json-1.8.3-1.53.amzn1.x86_64
    rubygem20-json-1.8.3-1.53.amzn1.x86_64
    rubygem18-json-doc-1.8.3-1.53.amzn1.x86_64
    rubygem20-json-doc-1.8.3-1.53.amzn1.x86_64
    rubygem21-json-1.8.3-1.53.amzn1.x86_64
    rubygem21-json-doc-1.8.3-1.53.amzn1.x86_64
    rubygem23-json-doc-1.8.3-1.53.amzn1.x86_64
    rubygem-json-debuginfo-1.8.3-1.53.amzn1.x86_64
    rubygem22-json-doc-1.8.3-1.53.amzn1.x86_64
    rubygem22-json-1.8.3-1.53.amzn1.x86_64