[FREEBSD:F7FCB75C-E537-11E9-863E-B9B7AF01BA9E] ruby -- multiple vulnerabilities

Severity High

Affected Packages 1

CVEs 4

Ruby news:

  This release includes security fixes. Please check the topics below for
    details.
  CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
    File.fnmatch?
  A NUL injection vulnerability of Ruby built-in methods (File.fnmatch
    and File.fnmatch?) was found. An attacker who has the control of the
    path pattern parameter could exploit this vulnerability to make path
    matching pass despite the intention of the program author.
  CVE-2019-16201: Regular Expression Denial of Service vulnerability of
    WEBrick's Digest access authentication
  Regular expression denial of service vulnerability of WEBrick's Digest
    authentication module was found. An attacker can exploit this
    vulnerability to cause an effective denial of service against a WEBrick
    service.
  CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
  There is an HTTP response splitting vulnerability in WEBrick bundled
    with Ruby.
  CVE-2019-16255: A code injection vulnerability of Shell#[] and
    Shell#test
  A code injection vulnerability of Shell#[] and Shell#test in a standard
    library (lib/shell.rb) was found.

Package	Affected Version
pkg:freebsd/ruby	< 2.4.9,1

ID

FREEBSD:F7FCB75C-E537-11E9-863E-B9B7AF01BA9E

Severity

high

Severity from

CVE-2019-16255

URL

http://vuxml.freebsd.org/freebsd/f7fcb75c-e537-11e9-863e-b9b7af01ba9e.html

Published

2019-10-01T00:00:00
(5 years ago)

Modified

2019-10-02T00:00:00
(5 years ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released/
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2019/10/02/ruby-2-4-9-released/
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:freebsd/ruby		ruby	< 2.4.9,1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date