[SECURITY] [DLA 2007-1] ruby2.1 security update

2019-11-2521:24:29

lists.debian.org

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.011 Low

EPSS

Percentile

83.9%

JSON

Package : ruby2.1
Version : 2.1.5-2+deb8u8
CVE ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254
CVE-2019-16255

Several flaws have been found in ruby2.1, an interpreter of an
object-oriented scripting language.

CVE-2019-15845
Path matching might pass in File.fnmatch and File.fnmatch? due
to a NUL character injection.

CVE-2019-16201
A loop caused by a wrong regular expression could lead to a denial
of service of a WEBrick service.

CVE-2019-16254
This is the same issue as CVE-2017-17742, whose fix was not complete.

CVE-2019-16255
Giving untrusted data to the first argument of Shell#[] and
Shell#test might lead to a code injection vulnerability.

For Debian 8 "Jessie", these problems have been fixed in version
2.1.5-2+deb8u8.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9mipsruby2.3-dbgsym< 2.3.3-1+deb9u7ruby2.3-dbgsym_2.3.3-1+deb9u7_mips.deb
Debian9s390xruby2.3-tcltk< 2.3.3-1+deb9u7ruby2.3-tcltk_2.3.3-1+deb9u7_s390x.deb
Debian10arm64libruby2.5-dbgsym< 2.5.5-3+deb10u1libruby2.5-dbgsym_2.5.5-3+deb10u1_arm64.deb
Debian9i386ruby2.3-tcltk-dbgsym< 2.3.3-1+deb9u7ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u7_i386.deb
Debian10mips64ellibruby2.5< 2.5.5-3+deb10u1libruby2.5_2.5.5-3+deb10u1_mips64el.deb
Debian9armhfruby2.3< 2.3.3-1+deb9u7ruby2.3_2.3.3-1+deb9u7_armhf.deb
Debian8i386ruby2.1-dev< 2.1.5-2+deb8u8ruby2.1-dev_2.1.5-2+deb8u8_i386.deb
Debian10mipslibruby2.5< 2.5.5-3+deb10u1libruby2.5_2.5.5-3+deb10u1_mips.deb
Debian9i386ruby2.3-dev< 2.3.3-1+deb9u7ruby2.3-dev_2.3.3-1+deb9u7_i386.deb
Debian9amd64libruby2.3-dbgsym< 2.3.3-1+deb9u7libruby2.3-dbgsym_2.3.3-1+deb9u7_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	mips	ruby2.3-dbgsym	< 2.3.3-1+deb9u7	ruby2.3-dbgsym_2.3.3-1+deb9u7_mips.deb
Debian	9	s390x	ruby2.3-tcltk	< 2.3.3-1+deb9u7	ruby2.3-tcltk_2.3.3-1+deb9u7_s390x.deb
Debian	10	arm64	libruby2.5-dbgsym	< 2.5.5-3+deb10u1	libruby2.5-dbgsym_2.5.5-3+deb10u1_arm64.deb
Debian	9	i386	ruby2.3-tcltk-dbgsym	< 2.3.3-1+deb9u7	ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u7_i386.deb
Debian	10	mips64el	libruby2.5	< 2.5.5-3+deb10u1	libruby2.5_2.5.5-3+deb10u1_mips64el.deb
Debian	9	armhf	ruby2.3	< 2.3.3-1+deb9u7	ruby2.3_2.3.3-1+deb9u7_armhf.deb
Debian	8	i386	ruby2.1-dev	< 2.1.5-2+deb8u8	ruby2.1-dev_2.1.5-2+deb8u8_i386.deb
Debian	10	mips	libruby2.5	< 2.5.5-3+deb10u1	libruby2.5_2.5.5-3+deb10u1_mips.deb
Debian	9	i386	ruby2.3-dev	< 2.3.3-1+deb9u7	ruby2.3-dev_2.3.3-1+deb9u7_i386.deb
Debian	9	amd64	libruby2.3-dbgsym	< 2.3.3-1+deb9u7	libruby2.3-dbgsym_2.3.3-1+deb9u7_amd64.deb