ALAS2023-2026-1690

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue. (CVE-2026-41316)

aarch64:
    ruby3.4-bundled-gems-debuginfo-3.4.8-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-psych-debuginfo-5.2.2-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-rbs-debuginfo-3.8.0-27.amzn2023.0.5.aarch64
    ruby3.4-libs-debuginfo-3.4.8-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-io-console-debuginfo-0.8.1-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-json-debuginfo-2.9.1-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-racc-1.8.1-27.amzn2023.0.5.aarch64
    ruby3.4-devel-3.4.8-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-bigdecimal-debuginfo-3.1.8-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-io-console-0.8.1-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-json-2.9.1-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-bigdecimal-3.1.8-27.amzn2023.0.5.aarch64
    ruby3.4-bundled-gems-3.4.8-27.amzn2023.0.5.aarch64
    ruby3.4-3.4.8-27.amzn2023.0.5.aarch64
    ruby3.4-debuginfo-3.4.8-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-rbs-3.8.0-27.amzn2023.0.5.aarch64
    ruby3.4-debugsource-3.4.8-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-racc-debuginfo-1.8.1-27.amzn2023.0.5.aarch64
    ruby3.4-libs-3.4.8-27.amzn2023.0.5.aarch64
    ruby3.4-rubygem-psych-5.2.2-27.amzn2023.0.5.aarch64

noarch:
    ruby3.4-rubygem-rexml-3.4.4-27.amzn2023.0.5.noarch
    ruby3.4-rubygem-rdoc-6.14.0-27.amzn2023.0.5.noarch
    ruby3.4-rubygem-rake-13.2.1-27.amzn2023.0.5.noarch
    ruby3.4-rubygem-minitest-5.25.4-27.amzn2023.0.5.noarch
    ruby3.4-rubygem-bundler-2.6.9-27.amzn2023.0.5.noarch
    ruby3.4-rubygem-irb-1.14.3-27.amzn2023.0.5.noarch
    ruby3.4-rubygem-typeprof-0.30.1-27.amzn2023.0.5.noarch
    ruby3.4-rubygems-3.6.9-27.amzn2023.0.5.noarch
    ruby3.4-rubygem-rss-0.3.1-27.amzn2023.0.5.noarch
    ruby3.4-rubygem-test-unit-3.6.7-27.amzn2023.0.5.noarch
    ruby3.4-rubygem-power_assert-2.0.5-27.amzn2023.0.5.noarch
    ruby3.4-default-gems-3.4.8-27.amzn2023.0.5.noarch
    ruby3.4-rubygems-devel-3.6.9-27.amzn2023.0.5.noarch
    ruby3.4-doc-3.4.8-27.amzn2023.0.5.noarch

src:
    ruby3.4-3.4.8-27.amzn2023.0.5.src

x86_64:
    ruby3.4-libs-debuginfo-3.4.8-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-psych-5.2.2-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-io-console-debuginfo-0.8.1-27.amzn2023.0.5.x86_64
    ruby3.4-debuginfo-3.4.8-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-bigdecimal-3.1.8-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-racc-1.8.1-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-json-2.9.1-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-io-console-0.8.1-27.amzn2023.0.5.x86_64
    ruby3.4-debugsource-3.4.8-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-rbs-3.8.0-27.amzn2023.0.5.x86_64
    ruby3.4-libs-3.4.8-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-rbs-debuginfo-3.8.0-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-bigdecimal-debuginfo-3.1.8-27.amzn2023.0.5.x86_64
    ruby3.4-bundled-gems-debuginfo-3.4.8-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-psych-debuginfo-5.2.2-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-json-debuginfo-2.9.1-27.amzn2023.0.5.x86_64
    ruby3.4-bundled-gems-3.4.8-27.amzn2023.0.5.x86_64
    ruby3.4-3.4.8-27.amzn2023.0.5.x86_64
    ruby3.4-rubygem-racc-debuginfo-1.8.1-27.amzn2023.0.5.x86_64
    ruby3.4-devel-3.4.8-27.amzn2023.0.5.x86_64