ESB-2019.0821 - [Win][UNIX/Linux] Ruby: Multiple vulnerabilities 2019-03-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0821
                       Ruby 2.5.4 and 2.6.2 released
                               14 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Ruby
Publisher:         Ruby
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Delete Arbitrary Files          -- Existing Account
                   Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-8325 CVE-2019-8324 CVE-2019-8323
                   CVE-2019-8322 CVE-2019-8321 CVE-2019-8320

Reference:         ESB-2019.0678

Original Bulletin: 
   https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/
   https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-6-2-released/

Comment: This bulletin contains two (2) Ruby security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Ruby 2.5.4 Released

Posted by nagachika on 13 Mar 2019

Ruby 2.5.4 has been released.

This release includes bug fixes and a security update of the bundled RubyGems.
See details in Multiple vulnerabilities in RubyGems and the commit logs .

Download

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.4.tar.bz2

    SIZE:   14167366 bytes
    SHA1:   ac3248a055b5317cec53d3f922559c5b4a67d410
    SHA256: 8a16566207b2334a6904a10a1f093befc3aaf9b2e6cf01c62b1c4ac15cb7d8fc
    SHA512: 3c4f54f38ee50914a44d07e4fd299e53dddd045f2d38da2140586b8a9c45d1172fec2ad5b0411c228a9b31f5e161214820903a65b98caf3b0dfeeaabf2cab6ad

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.4.tar.gz

    SIZE:   15995815 bytes
    SHA1:   330bb5472f565b683c7f8c9091d4ee0cc155b51b
    SHA256: 0e4042bce749352dfcf1b9e3013ba7c078b728f51f8adaf6470ce37675e3cb1f
    SHA512: 6e58006c30d8ae561967e051ec0a34f34f899eee1b039abb65c9a63dc65965e210d238fff19fa7c7411893df25dfc40426887a195993153fb9e09bbf769dfc14

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.4.tar.xz

    SIZE:   11493016 bytes
    SHA1:   221b8538e75a8d04af8b9a09f56343e463bf94f8
    SHA256: 46f6eff655a6be1939f70c7a4c1bf58f76663e7e804738bc52f4d47ca31dee3d
    SHA512: e72294e549d09510f20c808d26a0d21ef0ee2616d8598980a42db260d45340e5c259ac65e5478a8b086042ff6ba7d8447a6c8115454ffe977c4f63175ab89062

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.4.zip

    SIZE:   19186174 bytes
    SHA1:   855be9a5a43a1e0621ad2e81c27de9370d2abcc8
    SHA256: 823a6a2c9c7baa18554fd78d430837a01ab33cc16ad1759c9842bdd9523e9cea
    SHA512: a83f90514b09c217fbbd154cfc09c804553353a97cbff7df24185b613e1c7be69a965fe9ec925ac3f4bd6170f2c3d0d60be7ea4ab1037ce64300d7443b6e08e8

Release Comment

Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.

- --------------------------------------------------------------------------------

Ruby 2.6.2 Released

Posted by naruse on 13 Mar 2019

Ruby 2.6.2 has been released.

This release includes bug fixes and a security update of the bundled RubyGems.

See details in Multiple vulnerabilities in RubyGems and the commit logs .

Download

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.2.tar.gz

    SIZE:   16777765 bytes
    SHA1:   44c6634a41f63ebdc1f3ce6ddcf48a4766bb4df7
    SHA256: a0405d2bf2c2d2f332033b70dff354d224a864ab0edd462b7a413420453b49ab
    SHA512: bc96a6793a1e3111598b82b0aad98dc5b465e39cdb5b788c4259818752e028a44545c6489c02c323db0f43a362c26f0900acfba0277d6e2201587d7252f6125f

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.2.zip

    SIZE:   20601169 bytes
    SHA1:   fce5c289842e6e4c4bc7950214d82c0858086baa
    SHA256: 65b862e5c86346d6bda05fc193c6f2cd728ddfd357f4b0a19d54d48a50984d13
    SHA512: 60ccabbca50d51186b6715edcd8e4fa704e8b9159a23f073e8d3aafef3858a98ade416156af94a479d1af5555c4c4b5b71267f0f563a518e5e6112ce9921bb8b

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.2.tar.bz2

    SIZE:   14634343 bytes
    SHA1:   5839fc6e6568ac4f26a20382bd8fe0d998dffbb0
    SHA256: d126ada7f4147ce1029a80c2a37a0c4bfb37e9e82da8816662241a43faeb8915
    SHA512: cad678d2ced4085e99009e4fef83c067dd0e6ead27a8695bc212c0e5112a7fa09ceb27f82638faf91932ef8bdd090f844e0a878ffdf6845a891da4b858588aa0

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.2.tar.xz

    SIZE:   11889840 bytes
    SHA1:   b7b3432519f80ea50adc9bfb937c7a46865a93d5
    SHA256: 91fcde77eea8e6206d775a48ac58450afe4883af1a42e5b358320beb33a445fa
    SHA512: 13f7d7b483a037378eac4bf4bebddc21d69f4e19e6bbb397dd53e7518037ae9a3aa5b41fc20bf1fe410803c6efc3a6a65a65af47648d3a93713f75cfe885326a

Release Comment

Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXInHe2aOgq3Tt24GAQgN4w//fEayGrhzXHewpX+Hw7cErGaj4iss9W4q
SLMtYmnhEpc4m3zIJMwSWs9sd8QPPDCUQDZLRtcXYB8ZbNT1Z+Y6DHPYdl54mJZU
iWf3DJO2aWM2Kb+WpKTHRo9t+HcZk5gEQmDr3Ttx3rEFopSBar7PCJ6Gvu+lpmeP
LMwORhqeeIXvvzYSNJhteUpjt8E7JJt1ygyv+Rh1sSyaT2U8mgtFc2hqLFUBzeJK
kKFtURVkut761Fc7uv6sBQVGm5S+7+nh2r6rv6n56yMRPZF/H7P4gbTpHGQP0O+5
rNYuyxWiJQ0HIkYjSvJH8YZahOkPzK11d3ne4VzNNzcev55Uena6SorC2JTET+Mu
Ir+KHdmirgY/jEkxSbcBxguGwrtfYquz0gWrnZaQhxHDp7QJyNtlQpXeFoy98HNS
gDG5UueYMHFz+JCv/w+44TU7jQnlSf22kL+AnGFT2UUNzwmzrs9hrjsqHAOdY2Wz
xcaRTlrO96w5SBE2pKEG76aEDOMuah+QORHeJF6MCVfn2XRsCvS7ygzFL1TViVAJ
toHd7ZUt7dFQLorbLWYSWlvbqak3BhMzqsyNQk1fqtKexrVdwfPdw4MLbUK9JQ1E
CO6sjsshOcVcleDbTwcOpU6IbYAXfgYtzfzu98oZzj7ww6JoFORdmoyN4wsKASJ2
NRDAAqBnCJk=
=/2kl
-----END PGP SIGNATURE-----

« Back to bulletins