Detections
Analytics

Debian dla-4018 : libruby2.7 - security update

high Nessus Plugin ID 214401

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4018 advisory.

 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4018-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucaris January 17, 2025 https://wiki.debian.org/LTS
 - -------------------------------------------------------------------------

 Package : ruby2.7 Version : 2.7.4-1+deb11u3 CVE ID : CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946 CVE-2024-43398 CVE-2024-49761

 Multiple vulnerabilities were found in ruby a popular programming language.

 CVE-2024-35176

 The REXML gem has a Denial of Service (DoS) vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability.

 CVE-2024-39908

 The REXML gem has some Denial of Service (DoS) vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities.

 CVE-2024-41123

 The REXML gem has some Denial of Service (DoS) vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>.
 If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

 CVE-2024-41946

 The REXML gem had a Denial of Service (DoS) vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

 CVE-2024-43398

 REXML is an XML toolkit for Ruby.
 The REXML gem before 3.3.6 has a Denial of Service (DoS) vulnerability when it parses an XML that has many deep elements that have same local name attributes.
 If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, you are not impacted.

 CVE-2024-49761

 REXML is an XML toolkit for Ruby.
 The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

 For Debian 11 bullseye, these problems have been fixed in version 2.7.4-1+deb11u3.

 We recommend that you upgrade your ruby2.7 packages.

 For the detailed security status of ruby2.7 please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/ruby2.7

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libruby2.7 packages.

See Also

https://security-tracker.debian.org/tracker/source-package/ruby2.7

https://security-tracker.debian.org/tracker/CVE-2024-35176

https://security-tracker.debian.org/tracker/CVE-2024-39908

https://security-tracker.debian.org/tracker/CVE-2024-41123

https://security-tracker.debian.org/tracker/CVE-2024-41946

https://security-tracker.debian.org/tracker/CVE-2024-43398

https://security-tracker.debian.org/tracker/CVE-2024-49761

https://packages.debian.org/source/bullseye/ruby2.7

Plugin Details

Severity: High

ID: 214401

File Name: debian_DLA-4018.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/20/2025

Updated: 1/20/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2024-49761

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.7

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ruby2.7, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:ruby2.7-doc, p-cpe:/a:debian:debian_linux:ruby2.7-dev, p-cpe:/a:debian:debian_linux:libruby2.7

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/17/2025

Vulnerability Publication Date: 5/16/2024

Reference Information

CVE: CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946, CVE-2024-43398, CVE-2024-49761