Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4696 ruby2.5 security update 18 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby Publisher: Debian Operating System: Debian GNU/Linux 10 Debian GNU/Linux 9 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-16255 CVE-2019-16254 CVE-2019-16201 CVE-2019-15845 Reference: ESB-2019.4603 ESB-2019.4477 ESB-2019.4448 ESB-2019.3678 Original Bulletin: http://www.debian.org/security/2019/dsa-4586 http://www.debian.org/security/2019/dsa-4587 Comment: This bulletin contains two (2) Debian security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4586-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 17, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : ruby2.5 CVE ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which could result in unauthorized access by bypassing intended path matchings, denial of service, or the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 2.5.5-3+deb10u1. We recommend that you upgrade your ruby2.5 packages. For the detailed security status of ruby2.5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.5 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl34oDxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SixA//RivjIrvziyMZKMS30716X1kgB3M1eXpL/oKCISu59wU3/dyrO4r2pwUj fcqmZs7PQp1iFKCiRr7ZijS2V4efeK9UxmuwxRzQYNXnVhgkngbMc5j4LG56T6sG uf1Mu2bsAOWEWBEDHLOFwoNmza12VTgBwAHMaVgl7tIdJeu1iit7Xryz5XY6xSHB IReUiafIidLQAy5621pARmRNPhgxrwsNeSbpm3Cf8BiPcZi0pDYssJWx89JnVYU2 f9nHkHrTOPwq7vwgZlBdRFkcflRCX6V5yp3IMO0GatPy2xTZ4QFgBzATy9ES7A9y 51UrubgbvF1sf0T0NFm3l+BiCpePWSbKWIDhKPVUTQrLpNzZUhED3apNpYPe0F+/ tRcRSQ9J2bnPCE+sx5oZu7HXmNZKntyCN0blc5MtSPodLKgVXq1D4/4fFVH1J51X BH8D3du+chM/ty5b+yL9HJIhYu0mLmr7h3fMpy8kPAjfSXi+LELtp/pFrDrFmf4S kz1qTumC098pw57QKG+OJKOmGeT2x3wzmdOHWlkMHGh0HYHY1pSPA60P7rOw+9uR p7clYTtu07rWsGMmwWJmBcb/YxtASagdSxD2fI50mTkZfkd7Tu3j405lcXMizsGg IOteqeKY4g4ngrVlHxHg1hcc2QlKlUpSOQFidbBCL5EsTc8HkIc= =ERNm - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4587-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 17, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : ruby2.3 CVE ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which could result in unauthorized access by bypassing intended path matchings, denial of service, or the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u7. We recommend that you upgrade your ruby2.3 packages. For the detailed security status of ruby2.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl34o91fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q5Bg//fOjMRcVQ6GUsbc0Qaj2t1HCmVR066U6fGrDzbd/7ofWIwzJMLYfdWrIs T3S2W+vuz1sj2lCN8C8PS81Oz+nxg8GXEMd4XGPmmH++cORSizOHimN3DF3ezXKA WanSLuTzP7dR9QCHO0AoVpLzL+P9s5xJOwhhWon+odr2y87XQqO2wIrwn/wRlroy ShKS9EcJQUITJw/MUhE8PCyRc7qIjsDl8p4JG2wsCJU2VSaiKuryHDTMvGlKZgGR C1TebMVjKmUahfcfga1Fd4P7AjiKirOsfRFoPsXmVRpdjWzXml8HdKOsLK93udw8 z1vEPhg1iJEzUKMapCjK3V32W//G+Mxsznt6a1TJ6RexhOsol+w6xoaHPeLuWbKH rMJvyTXVF9kPpN4n3QbwGmyyyAhL9Gekq4S2IGrjcn8IsDaQiqIooqz7tFMCmWQ8 IFa260TvVuHQhwluOUJ/upfFsaspFRsRTtRXpx4wZmo0TuOZQZH71uw35xPBVjFr OXH5hqqhit3g43w+Il5LRIGFEb/4ckLTTECLmAjqjEHDhfwIJgCpI7UxIcP5D1FE +M9ckMorWQTYKB76IrW8cN4k6USVmApBtfmwUzCjK0lZ69dMLnOO4qrXaPTo4SR3 UXfUb5UxEdW6a7ZDfMRkyxkFFFnKBdJrxf+dFO564+4nmMvz+58= =VHpf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXflhDGaOgq3Tt24GAQiDmg//cwcUT79SQQb8zjtH9oUxIHB5rBmRItnp vD2vcx48fDo+Szrsnyo3eMcuriPbN5LLUyUuR7k3CMOrFkGzfcnu/ypGWFWa5Rex csHtocixnf/CBaneq570sOQWqW8W3+opEnjyKJoJdYiSxrurWEM0Ul1tO2l1cXoh 7x+3I9k7Y92TfizK9eAUI4rgN9tPCa3zzU5nIFzZjB6/cxgL6fOQkImX3/kcEARY dFp9kQF2qX2QZ+4Wl1Jy19X3KIkhxAz+9WNQpzAG+cd9CC8Ppe5il98AlqYrnmej 3xZVglflvVaKlVKrU9yJG1urVvxzWC7XAvnw7+nViPVDYU3cxBJNRdwWsHqI4uw2 L/BX5wWRrwLlM7MuBTW0Bb5Y36ByD0FnKQEWzN3n3kWMSYV24aSbHuX/EbveWt2d +34mOmZXx8iopnArpIa63BiESjJPabUyxzHVvGP03TsXlb3JDrJf5xlM00ms63OI Ca4ir613DtPJW3fXO4f62VBa2kB3DmxU5ctr1hEq7OXVzfzxUyQ22eXscPj1vCXJ X67Di5aJknHlDluFmNNR7acyIpcvdstmuYhq89f5SsrviSjOn2XTSt5Jn7cxRgqE 3I1bVSiqI3lXr6dKE9YStkTAZMvsytPOnachxQJfVgEVIzSb5Kf/ymhgssagrI0y qIQndRWL2yU= =y2im -----END PGP SIGNATURE-----