An update for rubygem-bcrypt is now available for openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1723 Final 1.0 1.0 2026-03-27 Initial 2026-03-27 2026-03-27 openEuler SA Tool V1.0 2026-03-27 rubygem-bcrypt security update An update for rubygem-bcrypt is now available for openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2 bcrypt() is a sophisticated and secure hash algorithm designed by The OpenBSD project for hashing passwords. bcrypt-ruby provides a simple, humane wrapper for safely handling passwords. Security Fix(es): bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt() password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the cost to 31 to see this happen. The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes the key-strengthening round count as a signed 32-bit integer. When `cost=31` (the maximum allowed by the gem), signed integer overflow causes the round count to become negative, and the strengthening loop executes **zero iterations**. This collapses bcrypt from 2^31 rounds of exponential key-strengthening to effectively constant-time computation — only the initial EksBlowfish key setup and final 64x encryption phase remain. The resulting hash looks valid (`$2a$31$...`) and verifies correctly via `checkpw`, making the weakness invisible to the application. This issue is triggered only when cost=31 is used or when verifying a `$2a$31$` hash. This problem has been fixed in version 3.1.22. As a workaround, set the cost to something less than 31.(CVE-2026-33306) An update for rubygem-bcrypt is now available for openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium rubygem-bcrypt https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1723 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-33306 https://nvd.nist.gov/vuln/detail/CVE-2026-33306 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 rubygem-bcrypt-3.1.18-2.oe2403sp3.aarch64.rpm rubygem-bcrypt-debuginfo-3.1.18-2.oe2403sp3.aarch64.rpm rubygem-bcrypt-debugsource-3.1.18-2.oe2403sp3.aarch64.rpm rubygem-bcrypt-3.1.12-2.oe2003sp4.aarch64.rpm rubygem-bcrypt-debuginfo-3.1.12-2.oe2003sp4.aarch64.rpm rubygem-bcrypt-debugsource-3.1.12-2.oe2003sp4.aarch64.rpm rubygem-bcrypt-3.1.12-2.oe2203sp4.aarch64.rpm rubygem-bcrypt-debuginfo-3.1.12-2.oe2203sp4.aarch64.rpm rubygem-bcrypt-debugsource-3.1.12-2.oe2203sp4.aarch64.rpm rubygem-bcrypt-3.1.18-2.oe2403.aarch64.rpm rubygem-bcrypt-debuginfo-3.1.18-2.oe2403.aarch64.rpm rubygem-bcrypt-debugsource-3.1.18-2.oe2403.aarch64.rpm rubygem-bcrypt-3.1.18-2.oe2403sp1.aarch64.rpm rubygem-bcrypt-debuginfo-3.1.18-2.oe2403sp1.aarch64.rpm rubygem-bcrypt-debugsource-3.1.18-2.oe2403sp1.aarch64.rpm rubygem-bcrypt-3.1.18-2.oe2403sp2.aarch64.rpm rubygem-bcrypt-debuginfo-3.1.18-2.oe2403sp2.aarch64.rpm rubygem-bcrypt-debugsource-3.1.18-2.oe2403sp2.aarch64.rpm rubygem-bcrypt-3.1.18-2.oe2403sp3.src.rpm rubygem-bcrypt-3.1.12-2.oe2003sp4.src.rpm rubygem-bcrypt-3.1.12-2.oe2203sp4.src.rpm rubygem-bcrypt-3.1.18-2.oe2403.src.rpm rubygem-bcrypt-3.1.18-2.oe2403sp1.src.rpm rubygem-bcrypt-3.1.18-2.oe2403sp2.src.rpm rubygem-bcrypt-3.1.18-2.oe2403sp3.x86_64.rpm rubygem-bcrypt-debuginfo-3.1.18-2.oe2403sp3.x86_64.rpm rubygem-bcrypt-debugsource-3.1.18-2.oe2403sp3.x86_64.rpm rubygem-bcrypt-3.1.12-2.oe2003sp4.x86_64.rpm rubygem-bcrypt-debuginfo-3.1.12-2.oe2003sp4.x86_64.rpm rubygem-bcrypt-debugsource-3.1.12-2.oe2003sp4.x86_64.rpm rubygem-bcrypt-3.1.12-2.oe2203sp4.x86_64.rpm rubygem-bcrypt-debuginfo-3.1.12-2.oe2203sp4.x86_64.rpm rubygem-bcrypt-debugsource-3.1.12-2.oe2203sp4.x86_64.rpm rubygem-bcrypt-3.1.18-2.oe2403.x86_64.rpm rubygem-bcrypt-debuginfo-3.1.18-2.oe2403.x86_64.rpm rubygem-bcrypt-debugsource-3.1.18-2.oe2403.x86_64.rpm rubygem-bcrypt-3.1.18-2.oe2403sp1.x86_64.rpm rubygem-bcrypt-debuginfo-3.1.18-2.oe2403sp1.x86_64.rpm rubygem-bcrypt-debugsource-3.1.18-2.oe2403sp1.x86_64.rpm rubygem-bcrypt-3.1.18-2.oe2403sp2.x86_64.rpm rubygem-bcrypt-debuginfo-3.1.18-2.oe2403sp2.x86_64.rpm rubygem-bcrypt-debugsource-3.1.18-2.oe2403sp2.x86_64.rpm rubygem-bcrypt-help-3.1.18-2.oe2403sp3.noarch.rpm rubygem-bcrypt-help-3.1.12-2.oe2003sp4.noarch.rpm rubygem-bcrypt-help-3.1.12-2.oe2203sp4.noarch.rpm rubygem-bcrypt-help-3.1.18-2.oe2403.noarch.rpm rubygem-bcrypt-help-3.1.18-2.oe2403sp1.noarch.rpm rubygem-bcrypt-help-3.1.18-2.oe2403sp2.noarch.rpm bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt() password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the cost to 31 to see this happen. The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes the key-strengthening round count as a signed 32-bit integer. When `cost=31` (the maximum allowed by the gem), signed integer overflow causes the round count to become negative, and the strengthening loop executes **zero iterations**. This collapses bcrypt from 2^31 rounds of exponential key-strengthening to effectively constant-time computation — only the initial EksBlowfish key setup and final 64x encryption phase remain. The resulting hash looks valid (`$2a$31$...`) and verifies correctly via `checkpw`, making the weakness invisible to the application. This issue is triggered only when cost=31 is used or when verifying a `$2a$31$` hash. This problem has been fixed in version 3.1.22. As a workaround, set the cost to something less than 31. 2026-03-27 CVE-2026-33306 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 Medium 6.7 AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N rubygem-bcrypt security update 2026-03-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1723