CVE-2021-28965
Description
Moderate: ruby:2.6 security, bug fix, and enhancement update
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2021-2588.html
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2021-2587.html
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2021-2584.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-28965
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2021:2584
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2021:2587
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2021:2588
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-28965.html
Vendor advisory: arch — https://security.archlinux.org/ASA-202104-1
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 3.0.1-1 | |
| sles | affected | | |
| rocky | 8 | fixed | |
| debian | bullseye | fixed | 2.7.3-1 |
References
- https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
- https://security.archlinux.org/ASA-202104-1
- https://www.suse.com/security/cve/CVE-2021-28965.html
- https://errata.rockylinux.org/RLSA-2021:2588
- https://errata.rockylinux.org/RLSA-2021:2587
- https://errata.rockylinux.org/RLSA-2021:2584
- https://nvd.nist.gov/vuln/detail/CVE-2021-28965
- https://github.com/ruby/rexml/commit/2fe62e29094d95921d7e19abbd2e26b23d78dc5b
- https://github.com/ruby/rexml/commit/3c137eb119550874b2b3e27d12b733ca67033377
- https://github.com/ruby/rexml/commit/6a250d2cd1194c2be72becbdd9c3e770aa16e752
- https://github.com/ruby/rexml/commit/9b311e59ae05749e082eb6bbefa1cb620d1a786e
- https://github.com/ruby/rexml/commit/a659c63e37414506dfb0d4655e031bb7a2e73fc8
- https://github.com/ruby/rexml/commit/f7bab8937513b1403cea5aff874cbf32fd5e8551
- https://github.com/ruby/rexml/commit/f9d88e4948b4a43294c25dc0edb16815bd9d8618
- https://hackerone.com/reports/1104077
- https://github.com/ruby/rexml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2021-28965.yml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT
- https://rubygems.org/gems/rexml
- https://security.netapp.com/advisory/ntap-20210528-0003
- https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965
- https://security-tracker.debian.org/tracker/CVE-2021-28965
- https://errata.almalinux.org/8/ALSA-2021-2584.html
- https://errata.almalinux.org/8/ALSA-2021-2587.html
- https://errata.almalinux.org/8/ALSA-2021-2588.html
Verify integrity in audit chain (admin only). AS-IS.