Ruby vulnerable - 2.7.6_3,1

[katamadone [CH]]

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 22.7.9 (amd64/OpenSSL) at Fri Dec  2 09:22:58 CET 2022
vulnxml file up-to-date
ruby-2.7.6_3,1 is vulnerable:
  rubygem-cgi -- HTTP response splitting vulnerability
  CVE: CVE-2021-33621
  WWW: https://vuxml.FreeBSD.org/freebsd/84ab03b6-6c20-11ed-b519-080027f5fec9.html

1 problem(s) in 1 installed package(s) found.
***DONE***

[katamadone [CH]]

pkg info -dx ruby
ruby-2.7.6_3,1:
        libyaml-0.2.5
        openssl-1.1.1s,1
        libunwind-20211201_1
        libffi-3.4.3
        libedit-3.1.20221030,1

[seed]

There is no need to post any security audit in the forums. The developers are aware of those things. Most likely this will be patched in upcoming versions.

The security audit is for the user so that one can check if their environment is affected by those security issues.

[katamadone [CH]]

Actually I did not even ask a question, and thats bad.. First I wasn't sure about if anyone has the problem.
But then I did see the dependency.. so assumed it is a general "failure", but because of phone calls missed the explanation for it.

I'm not with you. But accept it.

[franco]

So the story is Fabian used Ruby in a few plugins to read and compute output generated by the software wrapped as a plugin:

benchmarks/iperf/Makefile:PLUGIN_DEPENDS=               iperf3 ruby
security/tor/Makefile:PLUGIN_DEPENDS=           tor ruby

There used to be net/frr as well but that was changed a while back.

Since there is no ruby 2.8 it definitely breaks going to 3.0 so someone needs to help port these scripts to support later Ruby or replace them with Python alternatives.

I'm relatively sure it does not deal with HTTP within that scope as per the vulnerability report, but I haven't checked.


Cheers,
Franco