From d2f71ce46dc13be840b918071265faec43a43cca Mon Sep 17 00:00:00 2001 From: Chayoung You Date: Sun, 29 May 2022 23:56:25 +0900 Subject: [PATCH 1/3] Fix typos in news (ko) --- ...4-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md | 2 +- ko/news/_posts/2021-05-02-os-command-injection-in-rdoc.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md b/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md index d8b74713b5..94a19f1458 100644 --- a/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md +++ b/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md @@ -1,6 +1,6 @@ --- layout: news_post -title: "CVE-2021-28965: REXML에서 XML 왕복 변환(round-trip) 취약점" +title: "CVE-2021-28965: REXML의 XML 왕복 변환(round-trip) 취약점" author: "mame" translator: "yous" date: 2021-04-05 12:00:00 +0000 diff --git a/ko/news/_posts/2021-05-02-os-command-injection-in-rdoc.md b/ko/news/_posts/2021-05-02-os-command-injection-in-rdoc.md index 53ff39434d..b54e1a1ff2 100644 --- a/ko/news/_posts/2021-05-02-os-command-injection-in-rdoc.md +++ b/ko/news/_posts/2021-05-02-os-command-injection-in-rdoc.md @@ -1,6 +1,6 @@ --- layout: news_post -title: "CVE-2021-31799: A command injection vulnerability in RDoc" +title: "CVE-2021-31799: RDoc의 명령 주입 취약점" author: "aycabta" translator: "yous" date: 2021-05-02 09:00:00 +0000 From 5496445ce73ef11a8132eb88e5e3b78550fa62f2 Mon Sep 17 00:00:00 2001 From: Chayoung You Date: Sun, 29 May 2022 23:57:13 +0900 Subject: [PATCH 2/3] Import original articles --- .../_posts/2021-07-07-ruby-2-6-8-released.md | 61 +++++++++++++++++++ .../_posts/2021-07-07-ruby-2-7-4-released.md | 58 ++++++++++++++++++ .../_posts/2021-07-07-ruby-3-0-2-released.md | 49 +++++++++++++++ ...21-07-07-starttls-stripping-in-net-imap.md | 37 +++++++++++ ...7-07-trusting-pasv-responses-in-net-ftp.md | 37 +++++++++++ 5 files changed, 242 insertions(+) create mode 100644 ko/news/_posts/2021-07-07-ruby-2-6-8-released.md create mode 100644 ko/news/_posts/2021-07-07-ruby-2-7-4-released.md create mode 100644 ko/news/_posts/2021-07-07-ruby-3-0-2-released.md create mode 100644 ko/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md create mode 100644 ko/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md diff --git a/ko/news/_posts/2021-07-07-ruby-2-6-8-released.md b/ko/news/_posts/2021-07-07-ruby-2-6-8-released.md new file mode 100644 index 0000000000..70a0112bfe --- /dev/null +++ b/ko/news/_posts/2021-07-07-ruby-2-6-8-released.md @@ -0,0 +1,61 @@ +--- +layout: news_post +title: "Ruby 2.6.8 Released" +author: "usa" +translator: +date: 2021-07-07 09:00:00 +0000 +lang: en +--- + +Ruby 2.6.8 has been released. + +This release includes security fixes. +Please check the topics below for details. + +* [CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP]({%link en/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md %}) +* [CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP]({%link en/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md %}) +* [CVE-2021-31799: A command injection vulnerability in RDoc]({%link en/news/_posts/2021-05-02-os-command-injection-in-rdoc.md %}) + +We ordinally do not fix Ruby 2.6 except security fixes, but this release also includes some regressed bugs and build problem fixes. +See the [commit logs](https://github.com/ruby/ruby/compare/v2_6_7...v2_6_8) for details. + +Ruby 2.6 is now under the state of the security maintenance phase, until the end of March of 2022. +After that date, maintenance of Ruby 2.6 will be ended. +We recommend you start planning the migration to newer versions of Ruby, such as 3.0 or 2.7. + +## Download + +{% assign release = site.data.releases | where: "version", "2.6.8" | first %} + +* <{{ release.url.bz2 }}> + + SIZE: {{ release.size.bz2 }} + SHA1: {{ release.sha1.bz2 }} + SHA256: {{ release.sha256.bz2 }} + SHA512: {{ release.sha512.bz2 }} + +* <{{ release.url.gz }}> + + SIZE: {{ release.size.gz }} + SHA1: {{ release.sha1.gz }} + SHA256: {{ release.sha256.gz }} + SHA512: {{ release.sha512.gz }} + +* <{{ release.url.xz }}> + + SIZE: {{ release.size.xz }} + SHA1: {{ release.sha1.xz }} + SHA256: {{ release.sha256.xz }} + SHA512: {{ release.sha512.xz }} + +* <{{ release.url.zip }}> + + SIZE: {{ release.size.zip }} + SHA1: {{ release.sha1.zip }} + SHA256: {{ release.sha256.zip }} + SHA512: {{ release.sha512.zip }} + +## Release Comment + +Many committers, developers, and users who provided bug reports helped us make this release. +Thanks for their contributions. diff --git a/ko/news/_posts/2021-07-07-ruby-2-7-4-released.md b/ko/news/_posts/2021-07-07-ruby-2-7-4-released.md new file mode 100644 index 0000000000..f366000a35 --- /dev/null +++ b/ko/news/_posts/2021-07-07-ruby-2-7-4-released.md @@ -0,0 +1,58 @@ +--- +layout: news_post +title: "Ruby 2.7.4 Released" +author: "usa" +translator: +date: 2021-07-07 09:00:00 +0000 +lang: en +--- + +Ruby 2.7.4 has been released. + +This release includes security fixes. +Please check the topics below for details. + +* [CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP]({%link en/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md %}) +* [CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP]({%link en/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md %}) +* [CVE-2021-31799: A command injection vulnerability in RDoc]({%link en/news/_posts/2021-05-02-os-command-injection-in-rdoc.md %}) + +See the [commit logs](https://github.com/ruby/ruby/compare/v2_7_3...v2_7_4) for details. + +## Download + +{% assign release = site.data.releases | where: "version", "2.7.4" | first %} + +* <{{ release.url.bz2 }}> + + SIZE: {{ release.size.bz2 }} + SHA1: {{ release.sha1.bz2 }} + SHA256: {{ release.sha256.bz2 }} + SHA512: {{ release.sha512.bz2 }} + +* <{{ release.url.gz }}> + + SIZE: {{ release.size.gz }} + SHA1: {{ release.sha1.gz }} + SHA256: {{ release.sha256.gz }} + SHA512: {{ release.sha512.gz }} + +* <{{ release.url.xz }}> + + SIZE: {{ release.size.xz }} + SHA1: {{ release.sha1.xz }} + SHA256: {{ release.sha256.xz }} + SHA512: {{ release.sha512.xz }} + +* <{{ release.url.zip }}> + + SIZE: {{ release.size.zip }} + SHA1: {{ release.sha1.zip }} + SHA256: {{ release.sha256.zip }} + SHA512: {{ release.sha512.zip }} + +## Release Comment + +Many committers, developers, and users who provided bug reports helped us make this release. +Thanks for their contributions. + +The maintenance of Ruby 2.7, including this release, is based on the "Agreement for the Ruby stable version" of the Ruby Association. diff --git a/ko/news/_posts/2021-07-07-ruby-3-0-2-released.md b/ko/news/_posts/2021-07-07-ruby-3-0-2-released.md new file mode 100644 index 0000000000..9e9ae10fd4 --- /dev/null +++ b/ko/news/_posts/2021-07-07-ruby-3-0-2-released.md @@ -0,0 +1,49 @@ +--- +layout: news_post +title: "Ruby 3.0.2 Released" +author: "nagachika" +translator: +date: 2021-07-07 09:00:00 +0000 +lang: en +--- + +Ruby 3.0.2 has been released. + +This release includes security fixes. +Please check the topics below for details. + +* [CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP]({%link en/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md %}) +* [CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP]({%link en/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md %}) +* [CVE-2021-31799: A command injection vulnerability in RDoc]({%link en/news/_posts/2021-05-02-os-command-injection-in-rdoc.md %}) + +See the [commit logs](https://github.com/ruby/ruby/compare/v3_0_1...v3_0_2) for details. + +## Download + +{% assign release = site.data.releases | where: "version", "3.0.2" | first %} + +* <{{ release.url.gz }}> + + SIZE: {{ release.size.gz }} + SHA1: {{ release.sha1.gz }} + SHA256: {{ release.sha256.gz }} + SHA512: {{ release.sha512.gz }} + +* <{{ release.url.xz }}> + + SIZE: {{ release.size.xz }} + SHA1: {{ release.sha1.xz }} + SHA256: {{ release.sha256.xz }} + SHA512: {{ release.sha512.xz }} + +* <{{ release.url.zip }}> + + SIZE: {{ release.size.zip }} + SHA1: {{ release.sha1.zip }} + SHA256: {{ release.sha256.zip }} + SHA512: {{ release.sha512.zip }} + +## Release Comment + +Many committers, developers, and users who provided bug reports helped us make this release. +Thanks for their contributions. diff --git a/ko/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md b/ko/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md new file mode 100644 index 0000000000..bdbb3357ba --- /dev/null +++ b/ko/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md @@ -0,0 +1,37 @@ +--- +layout: news_post +title: "CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP" +author: "shugo" +translator: +date: 2021-07-07 09:00:00 +0000 +tags: security +lang: en +--- + +A StartTLS stripping vulnerability was discovered in Net::IMAP. +This vulnerability has been assigned the CVE identifier [CVE-2021-32066](https://nvd.nist.gov/vuln/detail/CVE-2021-32066). +We strongly recommend upgrading Ruby. + +net-imap is a default gem in Ruby 3.0.1 but it has a packaging issue, so please upgrade Ruby itself. + +## Details + +Net::IMAP does not raise an exception when StartTLS +fails with an unknown response, which might allow man-in-the-middle +attackers to bypass the TLS protections by leveraging a network +position between the client and the registry to block the StartTLS +command, aka a "StartTLS stripping attack." + +## Affected Versions + +* Ruby 2.6 series: 2.6.7 and earlier +* Ruby 2.7 series: 2.7.3 and earlier +* Ruby 3.0 series: 3.0.1 and earlier + +## Credits + +Thanks to [Alexandr Savca](https://hackerone.com/chinarulezzz) for reporting the issue. + +## History + +* Originally published at 2021-07-07 09:00:00 UTC diff --git a/ko/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md b/ko/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md new file mode 100644 index 0000000000..871644b8c8 --- /dev/null +++ b/ko/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md @@ -0,0 +1,37 @@ +--- +layout: news_post +title: "CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP" +author: "shugo" +translator: +date: 2021-07-07 09:00:00 +0000 +tags: security +lang: en +--- + +A trusting FTP PASV responses vulnerability was discovered in Net::FTP. +This vulnerability has been assigned the CVE identifier [CVE-2021-31810](https://nvd.nist.gov/vuln/detail/CVE-2021-31810). +We strongly recommend upgrading Ruby. + +net-ftp is a default gem in Ruby 3.0.1 but it has a packaging issue, so please upgrade Ruby itself. + +## Details + +A malicious FTP server can use the PASV response to trick Net::FTP +into connecting back to a given IP address and port. This +potentially makes Net::FTP extract information about services that are +otherwise private and not disclosed (e.g., the attacker can conduct port scans +and service banner extractions). + +## Affected Versions + +* Ruby 2.6 series: 2.6.7 and earlier +* Ruby 2.7 series: 2.7.3 and earlier +* Ruby 3.0 series: 3.0.1 and earlier + +## Credits + +Thanks to [Alexandr Savca](https://hackerone.com/chinarulezzz) for reporting the issue. + +## History + +* Originally published at 2021-07-07 09:00:00 UTC From 5291b0b4c4a7d611193a5f7302250600c956efb8 Mon Sep 17 00:00:00 2001 From: Chayoung You Date: Sun, 29 May 2022 23:57:32 +0900 Subject: [PATCH 3/3] Translate 2021-07-07 news (ko) --- .../_posts/2021-07-07-ruby-2-6-8-released.md | 36 ++++++++--------- .../_posts/2021-07-07-ruby-2-7-4-released.md | 30 +++++++------- .../_posts/2021-07-07-ruby-3-0-2-released.md | 28 ++++++------- ...21-07-07-starttls-stripping-in-net-imap.md | 40 +++++++++---------- ...7-07-trusting-pasv-responses-in-net-ftp.md | 40 +++++++++---------- 5 files changed, 85 insertions(+), 89 deletions(-) diff --git a/ko/news/_posts/2021-07-07-ruby-2-6-8-released.md b/ko/news/_posts/2021-07-07-ruby-2-6-8-released.md index 70a0112bfe..c0bd8f2420 100644 --- a/ko/news/_posts/2021-07-07-ruby-2-6-8-released.md +++ b/ko/news/_posts/2021-07-07-ruby-2-6-8-released.md @@ -1,29 +1,29 @@ --- layout: news_post -title: "Ruby 2.6.8 Released" +title: "Ruby 2.6.8 릴리스" author: "usa" -translator: +translator: "yous" date: 2021-07-07 09:00:00 +0000 -lang: en +lang: ko --- -Ruby 2.6.8 has been released. +Ruby 2.6.8이 릴리스되었습니다. -This release includes security fixes. -Please check the topics below for details. +이 릴리스는 보안 수정을 포함합니다. +자세한 사항은 아래 글을 확인해보세요. -* [CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP]({%link en/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md %}) -* [CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP]({%link en/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md %}) -* [CVE-2021-31799: A command injection vulnerability in RDoc]({%link en/news/_posts/2021-05-02-os-command-injection-in-rdoc.md %}) +* [CVE-2021-31810: Net::FTP의 FTP PASV 응답 신뢰 취약점]({%link en/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md %}) +* [CVE-2021-32066: Net::IMAP의 StartTLS 스트립 취약점]({%link en/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md %}) +* [CVE-2021-31799: RDoc의 명령 주입 취약점]({%link en/news/_posts/2021-05-02-os-command-injection-in-rdoc.md %}) -We ordinally do not fix Ruby 2.6 except security fixes, but this release also includes some regressed bugs and build problem fixes. -See the [commit logs](https://github.com/ruby/ruby/compare/v2_6_7...v2_6_8) for details. +Ruby 2.6은 보안 수정 외에는 수정하지 않지만, 이 릴리스는 몇 가지 회귀 버그와 빌드 문제 수정을 포함하고 있습니다. +자세한 사항은 [커밋 로그](https://github.com/ruby/ruby/compare/v2_6_7...v2_6_8)를 확인해주세요. -Ruby 2.6 is now under the state of the security maintenance phase, until the end of March of 2022. -After that date, maintenance of Ruby 2.6 will be ended. -We recommend you start planning the migration to newer versions of Ruby, such as 3.0 or 2.7. +Ruby 2.6은 현재 보안 유지보수 단계이고, 기한은 2022년 3월입니다. +이날 이후 Ruby 2.6의 유지보수는 종료됩니다. +Ruby 3.0, 2.7 등의 새 루비 버전으로 업그레이드할 계획을 세우기 바랍니다. -## Download +## 다운로드 {% assign release = site.data.releases | where: "version", "2.6.8" | first %} @@ -55,7 +55,7 @@ We recommend you start planning the migration to newer versions of Ruby, such as SHA256: {{ release.sha256.zip }} SHA512: {{ release.sha512.zip }} -## Release Comment +## 릴리스 코멘트 -Many committers, developers, and users who provided bug reports helped us make this release. -Thanks for their contributions. +많은 커미터, 개발자, 버그를 보고해 준 사용자들이 이 릴리스를 만드는 데 도움을 주었습니다. +그들의 기여에 감사드립니다. diff --git a/ko/news/_posts/2021-07-07-ruby-2-7-4-released.md b/ko/news/_posts/2021-07-07-ruby-2-7-4-released.md index f366000a35..5fc2bf29c2 100644 --- a/ko/news/_posts/2021-07-07-ruby-2-7-4-released.md +++ b/ko/news/_posts/2021-07-07-ruby-2-7-4-released.md @@ -1,24 +1,24 @@ --- layout: news_post -title: "Ruby 2.7.4 Released" +title: "Ruby 2.7.4 릴리스" author: "usa" -translator: +translator: "yous" date: 2021-07-07 09:00:00 +0000 -lang: en +lang: ko --- -Ruby 2.7.4 has been released. +Ruby 2.7.4가 릴리스되었습니다. -This release includes security fixes. -Please check the topics below for details. +이 릴리스는 보안 수정을 포함합니다. +자세한 사항은 아래 글을 확인해보세요. -* [CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP]({%link en/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md %}) -* [CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP]({%link en/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md %}) -* [CVE-2021-31799: A command injection vulnerability in RDoc]({%link en/news/_posts/2021-05-02-os-command-injection-in-rdoc.md %}) +* [CVE-2021-31810: Net::FTP의 FTP PASV 응답 신뢰 취약점]({%link ko/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md %}) +* [CVE-2021-32066: Net::IMAP의 StartTLS 스트립 취약점]({%link ko/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md %}) +* [CVE-2021-31799: RDoc의 명령 주입 취약점]({%link ko/news/_posts/2021-05-02-os-command-injection-in-rdoc.md %}) -See the [commit logs](https://github.com/ruby/ruby/compare/v2_7_3...v2_7_4) for details. +자세한 사항은 [커밋 로그](https://github.com/ruby/ruby/compare/v2_7_3...v2_7_4)를 확인해주세요. -## Download +## 다운로드 {% assign release = site.data.releases | where: "version", "2.7.4" | first %} @@ -50,9 +50,9 @@ See the [commit logs](https://github.com/ruby/ruby/compare/v2_7_3...v2_7_4) for SHA256: {{ release.sha256.zip }} SHA512: {{ release.sha512.zip }} -## Release Comment +## 릴리스 코멘트 -Many committers, developers, and users who provided bug reports helped us make this release. -Thanks for their contributions. +많은 커미터, 개발자, 버그를 보고해 준 사용자들이 이 릴리스를 만드는 데 도움을 주었습니다. +그들의 기여에 감사드립니다. -The maintenance of Ruby 2.7, including this release, is based on the "Agreement for the Ruby stable version" of the Ruby Association. +이 릴리스를 포함한 Ruby 2.7의 유지보수는 Ruby Association의 "Ruby 안정 버전에 관한 협의"에 기반해 이루어집니다. diff --git a/ko/news/_posts/2021-07-07-ruby-3-0-2-released.md b/ko/news/_posts/2021-07-07-ruby-3-0-2-released.md index 9e9ae10fd4..633dcd5572 100644 --- a/ko/news/_posts/2021-07-07-ruby-3-0-2-released.md +++ b/ko/news/_posts/2021-07-07-ruby-3-0-2-released.md @@ -1,24 +1,24 @@ --- layout: news_post -title: "Ruby 3.0.2 Released" +title: "Ruby 3.0.2 릴리스" author: "nagachika" -translator: +translator: "yous" date: 2021-07-07 09:00:00 +0000 -lang: en +lang: ko --- -Ruby 3.0.2 has been released. +Ruby 3.0.2가 릴리스되었습니다. -This release includes security fixes. -Please check the topics below for details. +이 릴리스는 보안 수정을 포함합니다. +자세한 사항은 아래 글을 확인해보세요. -* [CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP]({%link en/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md %}) -* [CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP]({%link en/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md %}) -* [CVE-2021-31799: A command injection vulnerability in RDoc]({%link en/news/_posts/2021-05-02-os-command-injection-in-rdoc.md %}) +* [CVE-2021-31810: Net::FTP의 FTP PASV 응답 신뢰 취약점]({%link ko/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md %}) +* [CVE-2021-32066: Net::IMAP의 StartTLS 스트립 취약점]({%link ko/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md %}) +* [CVE-2021-31799: RDoc의 명령 주입 취약점]({%link ko/news/_posts/2021-05-02-os-command-injection-in-rdoc.md %}) -See the [commit logs](https://github.com/ruby/ruby/compare/v3_0_1...v3_0_2) for details. +자세한 사항은 [커밋 로그](https://github.com/ruby/ruby/compare/v3_0_1...v3_0_2)를 확인해주세요. -## Download +## 다운로드 {% assign release = site.data.releases | where: "version", "3.0.2" | first %} @@ -43,7 +43,7 @@ See the [commit logs](https://github.com/ruby/ruby/compare/v3_0_1...v3_0_2) for SHA256: {{ release.sha256.zip }} SHA512: {{ release.sha512.zip }} -## Release Comment +## 릴리스 코멘트 -Many committers, developers, and users who provided bug reports helped us make this release. -Thanks for their contributions. +많은 커미터, 개발자, 버그를 보고해 준 사용자들이 이 릴리스를 만드는 데 도움을 주었습니다. +그들의 기여에 감사드립니다. diff --git a/ko/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md b/ko/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md index bdbb3357ba..0d6ca6277c 100644 --- a/ko/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md +++ b/ko/news/_posts/2021-07-07-starttls-stripping-in-net-imap.md @@ -1,37 +1,35 @@ --- layout: news_post -title: "CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP" +title: "CVE-2021-32066: Net::IMAP의 StartTLS 스트립 취약점" author: "shugo" -translator: +translator: "yous" date: 2021-07-07 09:00:00 +0000 tags: security -lang: en +lang: ko --- -A StartTLS stripping vulnerability was discovered in Net::IMAP. -This vulnerability has been assigned the CVE identifier [CVE-2021-32066](https://nvd.nist.gov/vuln/detail/CVE-2021-32066). -We strongly recommend upgrading Ruby. +Net::IMAP에서 StartTLS 스트립 취약점이 발견되었습니다. +이 취약점은 CVE 번호 [CVE-2021-32066](https://nvd.nist.gov/vuln/detail/CVE-2021-32066)에 할당되었습니다. +Ruby를 업그레이드하시길 강력히 권합니다. -net-imap is a default gem in Ruby 3.0.1 but it has a packaging issue, so please upgrade Ruby itself. +net-imap은 Ruby 3.0.1의 기본 gem이지만, 패키징 문제가 있으므로 Ruby 자체를 업그레이드하시기 바랍니다. -## Details +## 세부 내용 -Net::IMAP does not raise an exception when StartTLS -fails with an unknown response, which might allow man-in-the-middle -attackers to bypass the TLS protections by leveraging a network -position between the client and the registry to block the StartTLS -command, aka a "StartTLS stripping attack." +Net::IMAP은 StartTLS가 알 수 없는 응답과 함께 실패할 경우 예외를 발생시키지 않는데, +이는 중간자(man-in-the-middle) 공격자가 TLS 보호를 우회할 수 있도록 합니다. +일명 'StartTLS 스트립 공격'으로, 클라이언트와 레지스트리 사이에서 네트워크 위치를 이용해 StartTLS 명령을 차단합니다. -## Affected Versions +## 해당 버전 -* Ruby 2.6 series: 2.6.7 and earlier -* Ruby 2.7 series: 2.7.3 and earlier -* Ruby 3.0 series: 3.0.1 and earlier +* Ruby 2.6 버전대: 2.6.7 이하 +* Ruby 2.7 버전대: 2.7.3 이하 +* Ruby 3.0 버전대: 3.0.1 이하 -## Credits +## 도움을 준 사람 -Thanks to [Alexandr Savca](https://hackerone.com/chinarulezzz) for reporting the issue. +이 문제를 보고해 준 [Alexandr Savca](https://hackerone.com/chinarulezzz)에게 감사를 표합니다. -## History +## 수정 이력 -* Originally published at 2021-07-07 09:00:00 UTC +* 2021-07-07 09:00:00 UTC 최초 공개 diff --git a/ko/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md b/ko/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md index 871644b8c8..7477e1cc6b 100644 --- a/ko/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md +++ b/ko/news/_posts/2021-07-07-trusting-pasv-responses-in-net-ftp.md @@ -1,37 +1,35 @@ --- layout: news_post -title: "CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP" +title: "CVE-2021-31810: Net::FTP의 FTP PASV 응답 신뢰 취약점" author: "shugo" -translator: +translator: "yous" date: 2021-07-07 09:00:00 +0000 tags: security -lang: en +lang: ko --- -A trusting FTP PASV responses vulnerability was discovered in Net::FTP. -This vulnerability has been assigned the CVE identifier [CVE-2021-31810](https://nvd.nist.gov/vuln/detail/CVE-2021-31810). -We strongly recommend upgrading Ruby. +Net::FTP에서 FTP PASV 응답 신뢰 취약점이 발견되었습니다. +이 취약점에 CVE 번호 [CVE-2021-31810](https://nvd.nist.gov/vuln/detail/CVE-2021-31810)이 할당되었습니다. +Ruby를 업그레이드하시길 강력히 권합니다. -net-ftp is a default gem in Ruby 3.0.1 but it has a packaging issue, so please upgrade Ruby itself. +net-ftp는 Ruby 3.0.1의 기본 gem이지만, 패키징 문제가 있으므로 Ruby 자체를 업그레이드하시기 바랍니다. -## Details +## 세부 내용 -A malicious FTP server can use the PASV response to trick Net::FTP -into connecting back to a given IP address and port. This -potentially makes Net::FTP extract information about services that are -otherwise private and not disclosed (e.g., the attacker can conduct port scans -and service banner extractions). +악의적인 FTP 서버에서 PASV 응답을 사용해 Net::FTP를 속여 주어진 IP 주소와 포트로 연결해 오도록 할 수 있습니다. +이를 통해 Net::FTP가 공개되지 않은 서비스의 정보를 추출하도록 할 수 있습니다. +(예를 들어, 공격자가 포트 스캔을 하거나 서비스 배너를 추출할 수 있습니다.) -## Affected Versions +## 해당 버전 -* Ruby 2.6 series: 2.6.7 and earlier -* Ruby 2.7 series: 2.7.3 and earlier -* Ruby 3.0 series: 3.0.1 and earlier +* Ruby 2.6 버전대: 2.6.7 이하 +* Ruby 2.7 버전대: 2.7.3 이하 +* Ruby 3.0 버전대: 3.0.1 이하 -## Credits +## 도움을 준 사람 -Thanks to [Alexandr Savca](https://hackerone.com/chinarulezzz) for reporting the issue. +이 문제를 보고해 준 [Alexandr Savca](https://hackerone.com/chinarulezzz)에게 감사를 표합니다. -## History +## 수정 이력 -* Originally published at 2021-07-07 09:00:00 UTC +* 2021-07-07 09:00:00 UTC 최초 공개