Operating System:

[Debian]

Published:

26 November 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4448
                          ruby2.1 security update
                             26 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby2.1
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-16255 CVE-2019-16254 CVE-2019-16201
                   CVE-2019-15845 CVE-2017-17742 

Reference:         ESB-2019.3678
                   ESB-2018.3348.2
                   ESB-2018.1258

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : ruby2.1
Version        : 2.1.5-2+deb8u8
CVE ID         : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254
                  CVE-2019-16255


Several flaws have been found in ruby2.1, an interpreter of an
object-oriented scripting language.

CVE-2019-15845
      Path matching might pass in File.fnmatch and File.fnmatch? due
      to a NUL character injection.

CVE-2019-16201
      A loop caused by a wrong regular expression could lead to a denial
      of service of a WEBrick service.

CVE-2019-16254
      This is the same issue as CVE-2017-17742, whose fix was not complete.

CVE-2019-16255
      Giving untrusted data to the first argument of Shell#[] and
      Shell#test might lead to a code injection vulnerability.


For Debian 8 "Jessie", these problems have been fixed in version
2.1.5-2+deb8u8.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl3cRo1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEeXqA//SylqCXajSwQ/Cs81H959kOvNSsZgM/5VvoEhZjSWDC3dj2HKjVs6Q5RC
uUL/X5hfyvySo4vlVer+KfBiKOc1XqZ5D1wSW5eVm2sTVhJe7IGZxEkYgZVDlZQ3
LSP7g+IWDvy531N+dSOwRAV34yMyj62UGlqo7z8x9f+BasCJlACvAsiEO+XQqTbE
fUJofVQtqcPpyrWzS5TBKKb8YDci3KwwaHZH+SMgRfXkTnJHLcW3CmAvmGelvKoW
BpYezIr2sVtzYfRP8xbyFUetiCwbUPVWUUkNb6agkXqC6ACbSYNixObkSEBHDzpk
ySHHV3RkS6mO+mWYlR2ZBHu19NoL7+fFuDNMjP1PsU+Vc6O57RUudOigySL1nzfB
251e4pEbbUgeGKf5bSxFf7WYkmoYyLxgIbbEN2eUKrxYRs9/2FCOSc9ZfOIAl/MC
l65Kzgy/7KGBA3RyNuYJFpolH/ui2q4JtZXde9V+NlMX2vz2zXfoyBzW3QLWCX4H
OUZKKynt3muFfC0v7SzNOOTI1y735MexfhNgM7Ok1AGOUQqyLTTBMryaF89srPOW
BEMbhXgaXOVeruKkCwam3FTMVb0kmf0smT/1HoSrkGBzvvOXXxRsxfUhYWVTidnw
F+DoMSYo3QUyNY4qJsg7b2EiEwTXRU1vhivulPQBNGaWAvvkwag=
=df4E
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXdynO2aOgq3Tt24GAQj2MQ//bG6+1fDrb5okj+Z4W8wdX40RlqU6tkES
6lP6u2+bSPl3NKIoJzTxfybAtqmSagtd+u3Ys/7/RtyR1QmvlpJSo3LBWOID2RqF
9htKz2Z83icbVHc/7Y4DAYbxdRQQT/2nSfUgwyZzjFIVscQmeuUo2P7SodU9IaSb
miBxwHtPC7z5+3UpA0Ap4ChmlpaKPGYVl0akUkxe2mArlqgfIbKgLJypFx2vFbjs
G/3Dw18DKQedsFIXJyAGqATFwX1DAV6dcp/kvzwT563rB8+v9KiN1gMp3W2w4SGU
bTVcqQ/R+D8qbLnI2RJpNGMjRE/o6+pJat84tfWksS/Bh2U2t+ult+EOGzQVs8Gf
BY69p7F7N1RMqbhcZ+CqWXtZuSypAg78VaEZLYm1/vEetlP98sTofZxFrG/qHEtE
P7cKfTfn8ZlSXitfPG4ZkUPd4RT+FyfVw1YOHXnRaIwasTWnoU1tebIOanUVr8mz
jcxzUKm3K3UMVHofQYPoEECpnvXxQw7zdoj+8u7ne7x3BRyp8pmfZRuR34CXh9ZI
nT3tDCE3ef7J29y6jO+x1qOIAaoRcnFLONWApTQKH1q78kOBgW4wH4OGqTsvGMbm
8+ELUlWQotrenw6uDp/6Z/2u3fW4WeWjr+rOUXldsaTDm4NprvQRR1io8EeXNc6n
xM0OP7zTjF8=
=f2sY
-----END PGP SIGNATURE-----