Univention Bugzilla – Bug 50655
ruby2.3: Multiple issues (4.3)
Last modified: 2019-12-18 13:48:07 CET
New Debian ruby2.3 2.3.3-1+deb9u7 fixes: This update addresses the following issues: * Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions. (CVE-2019-15845) * regular expression denial of service vulnerability of WEBrick's Digest access authentication (CVE-2019-16201) * Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF. (CVE-2019-16254) * Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. (CVE-2019-16255)
--- mirror/ftp/4.3/unmaintained/4.3-5/source/ruby2.3_2.3.3-1+deb9u6.dsc +++ apt/ucs_4.3-0-errata4.3-5/source/ruby2.3_2.3.3-1+deb9u7.dsc @@ -1,3 +1,12 @@ +2.3.3-1+deb9u7 [Sun, 15 Dec 2019 17:28:25 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * Fix for wrong fnmatch patttern (CVE-2019-15845) + * Loop with String#scan without creating substring (CVE-2019-16201) + * WEBrick: prevent response splitting and header injection (CVE-2019-16254) + * lib/shell/command-processor.rb (Shell#[]): prevent unknown command + (CVE-2019-16255) + 2.3.3-1+deb9u6 [Fri, 12 Apr 2019 20:28:46 +0200] Moritz Mühlenhoff <jmm@debian.org>: * CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324 <http://10.200.17.11/4.3-5/#1230547813016341318>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-5] bec33985fc Bug #50655: ruby2.3 2.3.3-1+deb9u7 doc/errata/staging/ruby2.3.yaml | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) [4.3-5] 64af80e06b Bug #50655: ruby2.3 2.3.3-1+deb9u7 doc/errata/staging/ruby2.3.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
<http://errata.software-univention.de/ucs/4.3/625.html>