Security update for rubygem-excon SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:2053-1 Final 1 1 2020-07-27T08:07:54Z current 2020-07-27T08:07:54Z 2020-07-27T08:07:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-excon This update for rubygem-excon fixes the following issues: - CVE-2019-16779: Fixed an information leak in the socket handling for persistent connections (bsc#1159342) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-Azure-Basic-On-Demand-2020-2053,Image SLES12-SP5-Azure-Standard-On-Demand-2020-2053,Image SLES12-SP5-EC2-ECS-On-Demand-2020-2053,Image SLES12-SP5-EC2-On-Demand-2020-2053,Image SLES12-SP5-GCE-On-Demand-2020-2053,SUSE-2020-2053,SUSE-SLE-Module-Containers-12-2020-2053 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20202053-1/ Link for SUSE-SU-2020:2053-1 https://lists.suse.com/pipermail/sle-security-updates/2020-July/007186.html E-Mail link for SUSE-SU-2020:2053-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1159342 SUSE Bug 1159342 https://www.suse.com/security/cve/CVE-2019-16779/ SUSE CVE CVE-2019-16779 page Image SLES12-SP5-Azure-Basic-On-Demand Image SLES12-SP5-Azure-Standard-On-Demand Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-On-Demand SUSE Linux Enterprise Module for Containers 12 ruby2.1-rubygem-excon-0.52.0-12.3.8 ruby2.1-rubygem-excon-doc-0.52.0-12.3.8 ruby2.1-rubygem-excon-testsuite-0.52.0-12.3.8 ruby2.1-rubygem-excon-0.52.0-12.3.8 as a component of Image SLES12-SP5-Azure-Basic-On-Demand ruby2.1-rubygem-excon-0.52.0-12.3.8 as a component of Image SLES12-SP5-Azure-Standard-On-Demand ruby2.1-rubygem-excon-0.52.0-12.3.8 as a component of Image SLES12-SP5-EC2-ECS-On-Demand ruby2.1-rubygem-excon-0.52.0-12.3.8 as a component of Image SLES12-SP5-EC2-On-Demand ruby2.1-rubygem-excon-0.52.0-12.3.8 as a component of Image SLES12-SP5-GCE-On-Demand ruby2.1-rubygem-excon-0.52.0-12.3.8 as a component of SUSE Linux Enterprise Module for Containers 12 In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this. CVE-2019-16779 Image SLES12-SP5-Azure-Basic-On-Demand:ruby2.1-rubygem-excon-0.52.0-12.3.8 Image SLES12-SP5-Azure-Standard-On-Demand:ruby2.1-rubygem-excon-0.52.0-12.3.8 Image SLES12-SP5-EC2-ECS-On-Demand:ruby2.1-rubygem-excon-0.52.0-12.3.8 Image SLES12-SP5-EC2-On-Demand:ruby2.1-rubygem-excon-0.52.0-12.3.8 Image SLES12-SP5-GCE-On-Demand:ruby2.1-rubygem-excon-0.52.0-12.3.8 SUSE Linux Enterprise Module for Containers 12:ruby2.1-rubygem-excon-0.52.0-12.3.8 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20202053-1/ https://www.suse.com/security/cve/CVE-2019-16779.html CVE-2019-16779 https://bugzilla.suse.com/1159342 SUSE Bug 1159342