Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#63977 - [ruby] [ruby2.5] CVE-2019-16255, CVE-2019-16254, CVE-2019-15845, CVE-2019-16201

Attached to Project: Arch Linux
Opened by Pascal E. (hardfalcon) - Tuesday, 01 October 2019, 13:20 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 02 October 2019, 10:56 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Archlinux currently ships ruby 2.6.4 and ruby2.5 2.5.5.

Ruby >=2.6.4 and ruby2.5 >=2.5.7 are affected by the following 4 CVEs:

* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication
https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/

Additionally, ruby2.5 >=2.5.6 is affected by XSS vulnerabilities in jQuery shipped with RDoc (which bundled in Ruby):
* CVE-2012-6708
* CVE-2015-9251
https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/
This task depends upon

Closed by  Antonio Rojas (arojas)
Wednesday, 02 October 2019, 10:56 GMT
Reason for closing:  Fixed
Comment by Levente Polyak (anthraxx) - Tuesday, 01 October 2019, 13:29 GMT
Ruby 2.5.7 fixes the issues above
Comment by Levente Polyak (anthraxx) - Tuesday, 01 October 2019, 13:31 GMT
we package rdoc as a separated non bundled packages, please file a new report against ruby-rdoc
Comment by Pascal E. (hardfalcon) - Tuesday, 01 October 2019, 14:44 GMT
Thanks for the hint, I've opened an additional issue for ruby-rdoc:
https://bugs.archlinux.org/task/63978

Loading...