Fix CVE-2026-41316: upgrade erb gem to 4.0.3.1 in ama-logs Linux image

[zanejohnson-azure]

Summary

Mitigates CVE-2026-41316 in the erb Ruby default gem (HIGH) flagged by trivy on the ama-logs 3.4.0 candidate image.

Installs the patched erb 4.0.3.1 from rubygems and removes the vulnerable default erb-4.0.3 gemspec shipped with ruby 3.3.10, following the same pattern already used for zlib (CVE-2026-27820) directly above.

Why install-and-delete instead of just upgrading ruby?

No released Ruby version yet ships erb 4.0.3.1.

Ruby	bundled erb
3.3.10, 3.3.11 (latest 3.3.x release)	4.0.3 — vulnerable
3.4.0 – 3.4.6 (latest 3.4.x release)	4.0.4 — vulnerable
ruby_3_3 branch HEAD (unreleased)	4.0.3.1
ruby_3_4 branch HEAD (unreleased)	4.0.4.1
master	6.0.4

The patched erb only lives in (1) the rubygems.org gem and (2) unreleased ruby maintenance branches. Until ruby 3.3.12 / 3.4.7 ships and AzureLinux picks it up, installing the gem and shadowing the default gemspec is the only available fix.

Verification

• Confirmed erb 4.0.3.1 exists on rubygems (published 2026-04-21, sha 871b7da4...).
• Confirmed ciprod:3.3.0 ships ruby 3.3.10 with erb-4.0.3.gemspec in the default specs dir.

Follow-up

Added an inline comment in setup.sh noting that whenever ruby is upgraded next, the maintainer should check the bundled erb version and drop this block if it's already 4.0.3.1+.

[suyadav1]

Do we know if erb gem is used in ama-logs?

[zanejohnson-azure]

also, erb is default and core gem (a part of stdlib of ruby, and erb can't be removed using gem uninstall command since it is a part of stdlib), thus, removing it could cause ruby failure at runtime.

fluentd load it at runtime. w/o this gem, fluentd may fail to start. out of curiosity, i removed erb and will do some test. but no matter what the result is, i suggest we should not remove it considering erb is in stdlib of ruby.

update:
removing this erb trigger some runtime load error, though fluentd does not crash.

<internal:.../kernel_require.rb>:136:in `require': cannot load such file -- erb (LoadError)
Did you mean?  irb
               drb
  from <internal:.../kernel_require.rb>:136:in `require'
  from .../webrick-1.9.2/lib/webrick/httpservlet/erbhandler.rb:14:in `<top (required)>'
  from .../webrick-1.9.2/lib/webrick/httpservlet.rb:15:in `require_relative'
  from .../webrick-1.9.2/lib/webrick/httpservlet.rb:15:in `<top (required)>'
  from .../webrick-1.9.2/lib/webrick/httpserver.rb:18:in `require_relative'
  from .../webrick-1.9.2/lib/webrick/httpserver.rb:18:in `<top (required)>'
  from .../webrick-1.9.2/lib/webrick.rb:230:in `<top (required)>'
  from .../fluentd-1.16.3/lib/fluent/plugin_helper/http_server/compat/webrick_handler.rb:17
  from .../fluentd-1.16.3/lib/fluent/plugin_helper/http_server/compat/server.rb:18
  from .../fluentd-1.16.3/lib/fluent/plugin_helper/http_server.rb:21:in `rescue in <top (required)>'   ← caught here
  from .../fluentd-1.16.3/lib/fluent/plugin_helper/http_server.rb:17:in `<top (required)>'
  from .../fluentd-1.16.3/lib/fluent/plugin_helper.rb:25
  from .../fluentd-1.16.3/lib/fluent/plugin/filter.rb:22
  from .../fluentd-1.16.3/lib/fluent/compat/filter.rb:18
  from .../fluentd-1.16.3/lib/fluent/filter.rb:17
  from .../fluentd-1.16.3/lib/fluent/event_router.rb:19
  from .../fluentd-1.16.3/lib/fluent/engine.rb:19
  from .../fluentd-1.16.3/lib/fluent/supervisor.rb:24
  ...

A Ruby LoadError raised when fluentd's startup tried to require 'erb'. The chain:

1. fluentd loads plugin_helper.rb → which loads plugin_helper/http_server.rb (always, regardless of config)
2. http_server.rb tries to require its webrick-based backend (compat/webrick_handler.rb)
3. webrick autoloads httpservlet/erbhandler.rb → which does require 'erb'
4. The erb stdlib was deleted from the image → LoadError: cannot load such file -- erb