PublicDateAtUSN: 2021-07-13 13:15:00 UTC
Candidate: CVE-2021-31810
PublicDate: 2021-07-13 13:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31810
 https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
 https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469 (2.7)
 https://hackerone.com/reports/1145454
 https://ubuntu.com/security/notices/USN-5020-1
Description:
 An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x
 through 3.0.1. A malicious FTP server can use the PASV response to trick
 Net::FTP into connecting back to a given IP address and port. This
 potentially makes curl extract information about services that are
 otherwise private and not disclosed (e.g., the attacker can conduct port
 scans and service banner extractions).
Ubuntu-Description:
Notes:
 leosilva> for xenial, the backport can be kind of intrusive. for now ignoring it.
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N [5.8 MEDIUM]

Patches_ruby1.9.1:
upstream_ruby1.9.1: needs-triage
trusty_ruby1.9.1: ignored (out of standard support)
trusty/esm_ruby1.9.1: DNE
xenial_ruby1.9.1: DNE
bionic_ruby1.9.1: DNE
focal_ruby1.9.1: DNE
groovy_ruby1.9.1: DNE
hirsute_ruby1.9.1: DNE
impish_ruby1.9.1: DNE
jammy_ruby1.9.1: DNE
devel_ruby1.9.1: DNE

Patches_ruby2.0:
upstream_ruby2.0: needs-triage
trusty_ruby2.0: ignored (out of standard support)
trusty/esm_ruby2.0: DNE
xenial_ruby2.0: DNE
bionic_ruby2.0: DNE
focal_ruby2.0: DNE
groovy_ruby2.0: DNE
hirsute_ruby2.0: DNE
impish_ruby2.0: DNE
jammy_ruby2.0: DNE
devel_ruby2.0: DNE

Patches_ruby2.3:
upstream_ruby2.3: needs-triage
trusty_ruby2.3: DNE
trusty/esm_ruby2.3: DNE
xenial_ruby2.3: ignored
esm-infra/xenial_ruby2.3: released (2.3.1-2~ubuntu16.04.16+esm1)
bionic_ruby2.3: DNE
focal_ruby2.3: DNE
groovy_ruby2.3: DNE
hirsute_ruby2.3: DNE
impish_ruby2.3: DNE
jammy_ruby2.3: DNE
devel_ruby2.3: DNE

Patches_ruby2.5:
upstream_ruby2.5: needs-triage
trusty_ruby2.5: DNE
trusty/esm_ruby2.5: DNE
xenial_ruby2.5: DNE
bionic_ruby2.5: released (2.5.1-1ubuntu1.10)
focal_ruby2.5: DNE
groovy_ruby2.5: DNE
hirsute_ruby2.5: DNE
impish_ruby2.5: DNE
jammy_ruby2.5: DNE
devel_ruby2.5: DNE

Patches_ruby2.7:
upstream_ruby2.7: needs-triage
trusty_ruby2.7: DNE
trusty/esm_ruby2.7: DNE
xenial_ruby2.7: DNE
bionic_ruby2.7: DNE
focal_ruby2.7: released (2.7.0-5ubuntu1.5)
groovy_ruby2.7: released (2.7.1-3ubuntu1.4)
hirsute_ruby2.7: released (2.7.2-4ubuntu1.2)
impish_ruby2.7: released (2.7.4-1ubuntu1)