Security update for rubygem-excon SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0139-1 Final 1 1 2020-01-29T16:41:25Z current 2020-01-29T16:41:25Z 2020-01-29T16:41:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-excon This update for rubygem-excon fixes the following issues: CVE-2019-16779 (boo#1159342): Fix a race condition around persistent connections, where a connection, which was interrupted, would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. This update was imported from the openSUSE:Leap:15.1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-139 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/24HLW5E7VDSXDL6W4QB2LMVOF74HLGW7/ E-Mail link for openSUSE-SU-2020:0139-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1159342 SUSE Bug 1159342 https://www.suse.com/security/cve/CVE-2019-16779/ SUSE CVE CVE-2019-16779 page SUSE Package Hub 15 SP1 ruby2.5-rubygem-excon-0.59.0-bp151.4.3.1 ruby2.5-rubygem-excon-doc-0.59.0-bp151.4.3.1 ruby2.5-rubygem-excon-testsuite-0.59.0-bp151.4.3.1 ruby2.5-rubygem-excon-0.59.0-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 ruby2.5-rubygem-excon-doc-0.59.0-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 ruby2.5-rubygem-excon-testsuite-0.59.0-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this. CVE-2019-16779 SUSE Package Hub 15 SP1:ruby2.5-rubygem-excon-0.59.0-bp151.4.3.1 SUSE Package Hub 15 SP1:ruby2.5-rubygem-excon-doc-0.59.0-bp151.4.3.1 SUSE Package Hub 15 SP1:ruby2.5-rubygem-excon-testsuite-0.59.0-bp151.4.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/24HLW5E7VDSXDL6W4QB2LMVOF74HLGW7/ https://www.suse.com/security/cve/CVE-2019-16779.html CVE-2019-16779 https://bugzilla.suse.com/1159342 SUSE Bug 1159342