FS#63977 - [ruby] [ruby2.5] CVE-2019-16255, CVE-2019-16254, CVE-2019-15845, CVE-2019-16201
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 01 October 2019, 13:20 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 02 October 2019, 10:56 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 01 October 2019, 13:20 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 02 October 2019, 10:56 GMT
|
Details
Archlinux currently ships ruby 2.6.4 and ruby2.5 2.5.5.
Ruby >=2.6.4 and ruby2.5 >=2.5.7 are affected by the following 4 CVEs: * CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/ * CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix) https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ * CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch? https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/ * CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ Additionally, ruby2.5 >=2.5.6 is affected by XSS vulnerabilities in jQuery shipped with RDoc (which bundled in Ruby): * CVE-2012-6708 * CVE-2015-9251 https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/ |
This task depends upon
https://bugs.archlinux.org/task/63978