-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: ruby security update
Advisory ID:       RHSA-2020:2839-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2839
Issue date:        2020-07-07
CVE Names:         CVE-2018-16396 
====================================================================
1. Summary:

An update for ruby is now available for Red Hat Enterprise Linux 7.6
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux ComputeNode EUS (v. 7.6) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6) - noarch, x86_64
Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional EUS (v. 7.6) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, noarch, ppc64le, s390x
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, noarch, ppc64le, s390x

3. Description:

Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to perform system management tasks.

Security Fix(es):

* ruby: Tainted flags are not propagated in Array#pack and String#unpack
with some directives (CVE-2018-16396)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1643089 - CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives

6. Package List:

Red Hat Enterprise Linux ComputeNode EUS (v. 7.6):

Source:
ruby-2.0.0.648-38.el7_6.src.rpm

noarch:
ruby-irb-2.0.0.648-38.el7_6.noarch.rpm
rubygem-rdoc-4.0.0-38.el7_6.noarch.rpm
rubygems-2.0.14.1-38.el7_6.noarch.rpm

x86_64:
ruby-2.0.0.648-38.el7_6.x86_64.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.i686.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.x86_64.rpm
ruby-libs-2.0.0.648-38.el7_6.i686.rpm
ruby-libs-2.0.0.648-38.el7_6.x86_64.rpm
rubygem-bigdecimal-1.2.0-38.el7_6.x86_64.rpm
rubygem-io-console-0.4.2-38.el7_6.x86_64.rpm
rubygem-json-1.7.7-38.el7_6.x86_64.rpm
rubygem-psych-2.0.0-38.el7_6.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6):

noarch:
ruby-doc-2.0.0.648-38.el7_6.noarch.rpm
rubygem-minitest-4.3.2-38.el7_6.noarch.rpm
rubygem-rake-0.9.6-38.el7_6.noarch.rpm
rubygems-devel-2.0.14.1-38.el7_6.noarch.rpm

x86_64:
ruby-debuginfo-2.0.0.648-38.el7_6.x86_64.rpm
ruby-devel-2.0.0.648-38.el7_6.x86_64.rpm
ruby-tcltk-2.0.0.648-38.el7_6.x86_64.rpm

Red Hat Enterprise Linux Server EUS (v. 7.6):

Source:
ruby-2.0.0.648-38.el7_6.src.rpm

noarch:
ruby-irb-2.0.0.648-38.el7_6.noarch.rpm
rubygem-rdoc-4.0.0-38.el7_6.noarch.rpm
rubygems-2.0.14.1-38.el7_6.noarch.rpm

ppc64:
ruby-2.0.0.648-38.el7_6.ppc64.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.ppc.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.ppc64.rpm
ruby-libs-2.0.0.648-38.el7_6.ppc.rpm
ruby-libs-2.0.0.648-38.el7_6.ppc64.rpm
rubygem-bigdecimal-1.2.0-38.el7_6.ppc64.rpm
rubygem-io-console-0.4.2-38.el7_6.ppc64.rpm
rubygem-json-1.7.7-38.el7_6.ppc64.rpm
rubygem-psych-2.0.0-38.el7_6.ppc64.rpm

ppc64le:
ruby-2.0.0.648-38.el7_6.ppc64le.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.ppc64le.rpm
ruby-libs-2.0.0.648-38.el7_6.ppc64le.rpm
rubygem-bigdecimal-1.2.0-38.el7_6.ppc64le.rpm
rubygem-io-console-0.4.2-38.el7_6.ppc64le.rpm
rubygem-json-1.7.7-38.el7_6.ppc64le.rpm
rubygem-psych-2.0.0-38.el7_6.ppc64le.rpm

s390x:
ruby-2.0.0.648-38.el7_6.s390x.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.s390.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.s390x.rpm
ruby-libs-2.0.0.648-38.el7_6.s390.rpm
ruby-libs-2.0.0.648-38.el7_6.s390x.rpm
rubygem-bigdecimal-1.2.0-38.el7_6.s390x.rpm
rubygem-io-console-0.4.2-38.el7_6.s390x.rpm
rubygem-json-1.7.7-38.el7_6.s390x.rpm
rubygem-psych-2.0.0-38.el7_6.s390x.rpm

x86_64:
ruby-2.0.0.648-38.el7_6.x86_64.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.i686.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.x86_64.rpm
ruby-libs-2.0.0.648-38.el7_6.i686.rpm
ruby-libs-2.0.0.648-38.el7_6.x86_64.rpm
rubygem-bigdecimal-1.2.0-38.el7_6.x86_64.rpm
rubygem-io-console-0.4.2-38.el7_6.x86_64.rpm
rubygem-json-1.7.7-38.el7_6.x86_64.rpm
rubygem-psych-2.0.0-38.el7_6.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):

Source:
ruby-2.0.0.648-38.el7_6.src.rpm

aarch64:
ruby-2.0.0.648-38.el7_6.aarch64.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.aarch64.rpm
ruby-libs-2.0.0.648-38.el7_6.aarch64.rpm
rubygem-bigdecimal-1.2.0-38.el7_6.aarch64.rpm
rubygem-io-console-0.4.2-38.el7_6.aarch64.rpm
rubygem-json-1.7.7-38.el7_6.aarch64.rpm
rubygem-psych-2.0.0-38.el7_6.aarch64.rpm

noarch:
ruby-irb-2.0.0.648-38.el7_6.noarch.rpm
rubygem-rdoc-4.0.0-38.el7_6.noarch.rpm
rubygems-2.0.14.1-38.el7_6.noarch.rpm

ppc64le:
ruby-2.0.0.648-38.el7_6.ppc64le.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.ppc64le.rpm
ruby-libs-2.0.0.648-38.el7_6.ppc64le.rpm
rubygem-bigdecimal-1.2.0-38.el7_6.ppc64le.rpm
rubygem-io-console-0.4.2-38.el7_6.ppc64le.rpm
rubygem-json-1.7.7-38.el7_6.ppc64le.rpm
rubygem-psych-2.0.0-38.el7_6.ppc64le.rpm

s390x:
ruby-2.0.0.648-38.el7_6.s390x.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.s390.rpm
ruby-debuginfo-2.0.0.648-38.el7_6.s390x.rpm
ruby-libs-2.0.0.648-38.el7_6.s390.rpm
ruby-libs-2.0.0.648-38.el7_6.s390x.rpm
rubygem-bigdecimal-1.2.0-38.el7_6.s390x.rpm
rubygem-io-console-0.4.2-38.el7_6.s390x.rpm
rubygem-json-1.7.7-38.el7_6.s390x.rpm
rubygem-psych-2.0.0-38.el7_6.s390x.rpm

Red Hat Enterprise Linux Server Optional EUS (v. 7.6):

noarch:
ruby-doc-2.0.0.648-38.el7_6.noarch.rpm
rubygem-minitest-4.3.2-38.el7_6.noarch.rpm
rubygem-rake-0.9.6-38.el7_6.noarch.rpm
rubygems-devel-2.0.14.1-38.el7_6.noarch.rpm

ppc64:
ruby-debuginfo-2.0.0.648-38.el7_6.ppc64.rpm
ruby-devel-2.0.0.648-38.el7_6.ppc64.rpm
ruby-tcltk-2.0.0.648-38.el7_6.ppc64.rpm

ppc64le:
ruby-debuginfo-2.0.0.648-38.el7_6.ppc64le.rpm
ruby-devel-2.0.0.648-38.el7_6.ppc64le.rpm
ruby-tcltk-2.0.0.648-38.el7_6.ppc64le.rpm

s390x:
ruby-debuginfo-2.0.0.648-38.el7_6.s390x.rpm
ruby-devel-2.0.0.648-38.el7_6.s390x.rpm
ruby-tcltk-2.0.0.648-38.el7_6.s390x.rpm

x86_64:
ruby-debuginfo-2.0.0.648-38.el7_6.x86_64.rpm
ruby-devel-2.0.0.648-38.el7_6.x86_64.rpm
ruby-tcltk-2.0.0.648-38.el7_6.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7):

aarch64:
ruby-debuginfo-2.0.0.648-38.el7_6.aarch64.rpm
ruby-devel-2.0.0.648-38.el7_6.aarch64.rpm
ruby-tcltk-2.0.0.648-38.el7_6.aarch64.rpm

noarch:
ruby-doc-2.0.0.648-38.el7_6.noarch.rpm
rubygem-minitest-4.3.2-38.el7_6.noarch.rpm
rubygem-rake-0.9.6-38.el7_6.noarch.rpm
rubygems-devel-2.0.14.1-38.el7_6.noarch.rpm

ppc64le:
ruby-debuginfo-2.0.0.648-38.el7_6.ppc64le.rpm
ruby-devel-2.0.0.648-38.el7_6.ppc64le.rpm
ruby-tcltk-2.0.0.648-38.el7_6.ppc64le.rpm

s390x:
ruby-debuginfo-2.0.0.648-38.el7_6.s390x.rpm
ruby-devel-2.0.0.648-38.el7_6.s390x.rpm
ruby-tcltk-2.0.0.648-38.el7_6.s390x.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-16396
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXwRNKdzjgjWX9erEAQjb8Q/+JuRATy+at+oku3GQfesoyjQ0Pl7onxPB
2sxIOS1Zb6Na1ZKqqEgLtnj0Ns3/S94VK+hE0X0Mly7z7pqaL/Z6zbV5LAXPpzbW
vX+xs8/yQqbBvNdpKCML9AiK/ru27bnwzyuqk+txxiVisnYvyjFD2V/WX2dMsF9M
/VWj2npMVkA2+kW6n2kQiMfxCclux5v+kHO7n08eSk48XQdo4h57bfcSYRYEcogW
v6BrXmpSWlzPSEi9ncs/3TdPkcHmjGu8yDysX/WDcPXIch0HOg40E/3NxzmhC2a2
aDpBew8p4s9OZHj1V3i4YN3xgpMql8i9qPew7V8NEMqiQJbMMc7VboSwMVs6KVDf
PqN4iCnZHJErPKO6dPa4j/RBsZlpS5izuWRiapvNdn3e94CaAU/GLkVjlbelGtZ/
FQQlnoFXROtOqwmXeFAnd8jPsiJ0+RQYtMXFgtJ+brPBSRruuLvM9zKrz/118Ra3
9LpDJGqtVZoF9ID8dmTnM27upIZgBXNyOZDZGpDhAEHN1vf2TFzIIF2lcsSCxMHm
DGpvplLhNi8F812N7lnTj/QKpha9iMeoO3aCaRpah+gge8ZceWjnenujwmWm9H6Z
kSwNjSiGHRsiLFD12JdXrZoukYG1vyzqa5vCjsDDIKPVNFPWJW9XOHTm3SRQy0Kg
4WPQJQBzVDM=YekI
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-2839:01 Moderate: ruby security update

An update for ruby is now available for Red Hat Enterprise Linux 7.6 Extended Update Support

Summary

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
Security Fix(es):
* ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives (CVE-2018-16396)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Summary

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2018-16396 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat Enterprise Linux ComputeNode EUS (v. 7.6):
Source: ruby-2.0.0.648-38.el7_6.src.rpm
noarch: ruby-irb-2.0.0.648-38.el7_6.noarch.rpm rubygem-rdoc-4.0.0-38.el7_6.noarch.rpm rubygems-2.0.14.1-38.el7_6.noarch.rpm
x86_64: ruby-2.0.0.648-38.el7_6.x86_64.rpm ruby-debuginfo-2.0.0.648-38.el7_6.i686.rpm ruby-debuginfo-2.0.0.648-38.el7_6.x86_64.rpm ruby-libs-2.0.0.648-38.el7_6.i686.rpm ruby-libs-2.0.0.648-38.el7_6.x86_64.rpm rubygem-bigdecimal-1.2.0-38.el7_6.x86_64.rpm rubygem-io-console-0.4.2-38.el7_6.x86_64.rpm rubygem-json-1.7.7-38.el7_6.x86_64.rpm rubygem-psych-2.0.0-38.el7_6.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6):
noarch: ruby-doc-2.0.0.648-38.el7_6.noarch.rpm rubygem-minitest-4.3.2-38.el7_6.noarch.rpm rubygem-rake-0.9.6-38.el7_6.noarch.rpm rubygems-devel-2.0.14.1-38.el7_6.noarch.rpm
x86_64: ruby-debuginfo-2.0.0.648-38.el7_6.x86_64.rpm ruby-devel-2.0.0.648-38.el7_6.x86_64.rpm ruby-tcltk-2.0.0.648-38.el7_6.x86_64.rpm
Red Hat Enterprise Linux Server EUS (v. 7.6):
Source: ruby-2.0.0.648-38.el7_6.src.rpm
noarch: ruby-irb-2.0.0.648-38.el7_6.noarch.rpm rubygem-rdoc-4.0.0-38.el7_6.noarch.rpm rubygems-2.0.14.1-38.el7_6.noarch.rpm
ppc64: ruby-2.0.0.648-38.el7_6.ppc64.rpm ruby-debuginfo-2.0.0.648-38.el7_6.ppc.rpm ruby-debuginfo-2.0.0.648-38.el7_6.ppc64.rpm ruby-libs-2.0.0.648-38.el7_6.ppc.rpm ruby-libs-2.0.0.648-38.el7_6.ppc64.rpm rubygem-bigdecimal-1.2.0-38.el7_6.ppc64.rpm rubygem-io-console-0.4.2-38.el7_6.ppc64.rpm rubygem-json-1.7.7-38.el7_6.ppc64.rpm rubygem-psych-2.0.0-38.el7_6.ppc64.rpm
ppc64le: ruby-2.0.0.648-38.el7_6.ppc64le.rpm ruby-debuginfo-2.0.0.648-38.el7_6.ppc64le.rpm ruby-libs-2.0.0.648-38.el7_6.ppc64le.rpm rubygem-bigdecimal-1.2.0-38.el7_6.ppc64le.rpm rubygem-io-console-0.4.2-38.el7_6.ppc64le.rpm rubygem-json-1.7.7-38.el7_6.ppc64le.rpm rubygem-psych-2.0.0-38.el7_6.ppc64le.rpm
s390x: ruby-2.0.0.648-38.el7_6.s390x.rpm ruby-debuginfo-2.0.0.648-38.el7_6.s390.rpm ruby-debuginfo-2.0.0.648-38.el7_6.s390x.rpm ruby-libs-2.0.0.648-38.el7_6.s390.rpm ruby-libs-2.0.0.648-38.el7_6.s390x.rpm rubygem-bigdecimal-1.2.0-38.el7_6.s390x.rpm rubygem-io-console-0.4.2-38.el7_6.s390x.rpm rubygem-json-1.7.7-38.el7_6.s390x.rpm rubygem-psych-2.0.0-38.el7_6.s390x.rpm
x86_64: ruby-2.0.0.648-38.el7_6.x86_64.rpm ruby-debuginfo-2.0.0.648-38.el7_6.i686.rpm ruby-debuginfo-2.0.0.648-38.el7_6.x86_64.rpm ruby-libs-2.0.0.648-38.el7_6.i686.rpm ruby-libs-2.0.0.648-38.el7_6.x86_64.rpm rubygem-bigdecimal-1.2.0-38.el7_6.x86_64.rpm rubygem-io-console-0.4.2-38.el7_6.x86_64.rpm rubygem-json-1.7.7-38.el7_6.x86_64.rpm rubygem-psych-2.0.0-38.el7_6.x86_64.rpm
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):
Source: ruby-2.0.0.648-38.el7_6.src.rpm
aarch64: ruby-2.0.0.648-38.el7_6.aarch64.rpm ruby-debuginfo-2.0.0.648-38.el7_6.aarch64.rpm ruby-libs-2.0.0.648-38.el7_6.aarch64.rpm rubygem-bigdecimal-1.2.0-38.el7_6.aarch64.rpm rubygem-io-console-0.4.2-38.el7_6.aarch64.rpm rubygem-json-1.7.7-38.el7_6.aarch64.rpm rubygem-psych-2.0.0-38.el7_6.aarch64.rpm
noarch: ruby-irb-2.0.0.648-38.el7_6.noarch.rpm rubygem-rdoc-4.0.0-38.el7_6.noarch.rpm rubygems-2.0.14.1-38.el7_6.noarch.rpm
ppc64le: ruby-2.0.0.648-38.el7_6.ppc64le.rpm ruby-debuginfo-2.0.0.648-38.el7_6.ppc64le.rpm ruby-libs-2.0.0.648-38.el7_6.ppc64le.rpm rubygem-bigdecimal-1.2.0-38.el7_6.ppc64le.rpm rubygem-io-console-0.4.2-38.el7_6.ppc64le.rpm rubygem-json-1.7.7-38.el7_6.ppc64le.rpm rubygem-psych-2.0.0-38.el7_6.ppc64le.rpm
s390x: ruby-2.0.0.648-38.el7_6.s390x.rpm ruby-debuginfo-2.0.0.648-38.el7_6.s390.rpm ruby-debuginfo-2.0.0.648-38.el7_6.s390x.rpm ruby-libs-2.0.0.648-38.el7_6.s390.rpm ruby-libs-2.0.0.648-38.el7_6.s390x.rpm rubygem-bigdecimal-1.2.0-38.el7_6.s390x.rpm rubygem-io-console-0.4.2-38.el7_6.s390x.rpm rubygem-json-1.7.7-38.el7_6.s390x.rpm rubygem-psych-2.0.0-38.el7_6.s390x.rpm
Red Hat Enterprise Linux Server Optional EUS (v. 7.6):
noarch: ruby-doc-2.0.0.648-38.el7_6.noarch.rpm rubygem-minitest-4.3.2-38.el7_6.noarch.rpm rubygem-rake-0.9.6-38.el7_6.noarch.rpm rubygems-devel-2.0.14.1-38.el7_6.noarch.rpm
ppc64: ruby-debuginfo-2.0.0.648-38.el7_6.ppc64.rpm ruby-devel-2.0.0.648-38.el7_6.ppc64.rpm ruby-tcltk-2.0.0.648-38.el7_6.ppc64.rpm
ppc64le: ruby-debuginfo-2.0.0.648-38.el7_6.ppc64le.rpm ruby-devel-2.0.0.648-38.el7_6.ppc64le.rpm ruby-tcltk-2.0.0.648-38.el7_6.ppc64le.rpm
s390x: ruby-debuginfo-2.0.0.648-38.el7_6.s390x.rpm ruby-devel-2.0.0.648-38.el7_6.s390x.rpm ruby-tcltk-2.0.0.648-38.el7_6.s390x.rpm
x86_64: ruby-debuginfo-2.0.0.648-38.el7_6.x86_64.rpm ruby-devel-2.0.0.648-38.el7_6.x86_64.rpm ruby-tcltk-2.0.0.648-38.el7_6.x86_64.rpm
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7):
aarch64: ruby-debuginfo-2.0.0.648-38.el7_6.aarch64.rpm ruby-devel-2.0.0.648-38.el7_6.aarch64.rpm ruby-tcltk-2.0.0.648-38.el7_6.aarch64.rpm
noarch: ruby-doc-2.0.0.648-38.el7_6.noarch.rpm rubygem-minitest-4.3.2-38.el7_6.noarch.rpm rubygem-rake-0.9.6-38.el7_6.noarch.rpm rubygems-devel-2.0.14.1-38.el7_6.noarch.rpm
ppc64le: ruby-debuginfo-2.0.0.648-38.el7_6.ppc64le.rpm ruby-devel-2.0.0.648-38.el7_6.ppc64le.rpm ruby-tcltk-2.0.0.648-38.el7_6.ppc64le.rpm
s390x: ruby-debuginfo-2.0.0.648-38.el7_6.s390x.rpm ruby-devel-2.0.0.648-38.el7_6.s390x.rpm ruby-tcltk-2.0.0.648-38.el7_6.s390x.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity

Advisory ID: RHSA-2020:2839-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2020:2839

Issued Date: : 2020-07-07

CVE Names: CVE-2018-16396

Topic

An update for ruby is now available for Red Hat Enterprise Linux 7.6Extended Update Support.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.