Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Ruby vulnerable - 2.7.6_3,1
« previous
next »
Print
Pages: [
1
]
Author
Topic: Ruby vulnerable - 2.7.6_3,1 (Read 999 times)
katamadone [CH]
Jr. Member
Posts: 95
Karma: 11
Ruby vulnerable - 2.7.6_3,1
«
on:
December 02, 2022, 09:26:39 am »
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 22.7.9 (amd64/OpenSSL) at Fri Dec 2 09:22:58 CET 2022
vulnxml file up-to-date
ruby-2.7.6_3,1 is vulnerable:
rubygem-cgi -- HTTP response splitting vulnerability
CVE: CVE-2021-33621
WWW:
https://vuxml.FreeBSD.org/freebsd/84ab03b6-6c20-11ed-b519-080027f5fec9.html
1 problem(s) in 1 installed package(s) found.
***DONE***
Logged
katamadone [CH]
Jr. Member
Posts: 95
Karma: 11
Re: Ruby vulnerable - 2.7.6_3,1
«
Reply #1 on:
December 02, 2022, 09:33:01 am »
pkg info -dx ruby
ruby-2.7.6_3,1:
libyaml-0.2.5
openssl-1.1.1s,1
libunwind-20211201_1
libffi-3.4.3
libedit-3.1.20221030,1
Logged
seed
Full Member
Posts: 174
Karma: 12
Re: Ruby vulnerable - 2.7.6_3,1
«
Reply #2 on:
December 02, 2022, 10:38:09 am »
There is no need to post any security audit in the forums. The developers are aware of those things. Most likely this will be patched in upcoming versions.
The security audit is for the user so that one can check if their environment is affected by those security issues.
Logged
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:
AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance
private user, no business use
katamadone [CH]
Jr. Member
Posts: 95
Karma: 11
Re: Ruby vulnerable - 2.7.6_3,1
«
Reply #3 on:
December 02, 2022, 01:44:37 pm »
Actually I did not even ask a question, and thats bad.. First I wasn't sure about if anyone has the problem.
But then I did see the dependency.. so assumed it is a general "failure", but because of phone calls missed the explanation for it.
I'm not with you. But accept it.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Ruby vulnerable - 2.7.6_3,1
«
Reply #4 on:
December 02, 2022, 02:14:29 pm »
So the story is Fabian used Ruby in a few plugins to read and compute output generated by the software wrapped as a plugin:
benchmarks/iperf
/Makefile:PLUGIN_DEPENDS= iperf3 ruby
security/tor
/Makefile:PLUGIN_DEPENDS= tor ruby
There used to be net/frr as well but that was changed a while back.
Since there is no ruby 2.8 it definitely breaks going to 3.0 so someone needs to help port these scripts to support later Ruby or replace them with Python alternatives.
I'm relatively sure it does not deal with HTTP within that scope as per the vulnerability report, but I haven't checked.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Ruby vulnerable - 2.7.6_3,1