Updated ruby packages fix security vulnerabilities
Publication date: 25 Dec 2019Modification date: 25 Dec 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-15845 , CVE-2019-16201 , CVE-2019-16254 , CVE-2019-16255
Description
Updated ruby packages fix security vulnerabilities:
It was discovered that Ruby incorrectly handled certain files. An attacker
could possibly use this issue to pass path matching what can lead to an
unauthorized access (CVE-2019-15845).
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could use this issue to cause a denial of service
(CVE-2019-16201).
It was discovered that Ruby incorrectly handled certain HTTP headers. An
attacker could possibly use this issue to execute arbitrary code
(CVE-2019-16254).
It was discovered that Ruby incorrectly handled certain inputs. An attacker
could possibly use this issue to execute arbitrary code (CVE-2019-16255).
References
- https://bugs.mageia.org/show_bug.cgi?id=25564
- https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
- https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
- https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
- https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/
- https://usn.ubuntu.com/4201-1/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255
SRPMS
7/core
- ruby-2.5.7-20.mga7