CVE-2021-32066 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Silent downgrade
Description	A security issue has been discovered in Ruby before versions 3.0.2, 2.7.4 and 2.6.8. Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack”.

Group	Package	Affected	Fixed	Severity	Status
AVG-2141	logstash	7.10.2-1		High	Not affected
AVG-2140	ruby2.6	2.6.7-1	2.6.8-1	High	Fixed
AVG-2139	ruby2.7	2.7.3-1	2.7.4-1	High	Fixed
AVG-2138	ruby	3.0.1-1	3.0.2-1	High	Fixed
AVG-1906	jruby	9.2.19.0-1	9.3.0.0-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
14 Jul 2021	ASA-202107-25	AVG-2140	ruby2.6	High	multiple issues
14 Jul 2021	ASA-202107-24	AVG-2139	ruby2.7	High	multiple issues
14 Jul 2021	ASA-202107-23	AVG-2138	ruby	High	multiple issues

References
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ https://hackerone.com/reports/1178562 https://github.com/ruby/net-imap/commit/adba6f0c3e5c5607c4822b9120322eb7e9a77891