Operating System:

[WIN][UNIX/Linux]

Published:

02 October 2019

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2019.3678 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3678
                      Ruby 2.4.8/2.5.7/2.6.5 released
                              2 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Ruby
Publisher:         Ruby
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-16255 CVE-2019-16254 CVE-2019-16201
                   CVE-2019-15845  

Original Bulletin: 
   https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released/
   https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/
   https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/
   https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
   https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
   https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
   https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/

Comment: This bulletin contains three (3) Ruby security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Ruby 2.4.8 Released

Posted by usa on 1 Oct 2019

Ruby 2.4.8 has been released.

This release includes security fixes. Please check the topics below for
details.

  o CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
  o CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
  o CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
    File.fnmatch
  o CVE-2019-16201: Regular Expression Denial of Service vulnerability of
    WEBrick  s Digest access authentication

Ruby 2.4 is now under the state of the security maintenance phase, until the
end of March of 2020. After that date, maintenance of Ruby 2.4 will be ended.
We recommend you start planning the migration to newer versions of Ruby, such
as 2.6 or 2.5.

Download

  o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.tar.bz2

    SIZE: 12204030
    SHA1: 5f742a8df243fa4e216ff6f0c26cc8222a182459
    SHA256: e30eedd91386bec81489d2637522c9017aebba46f98e8b502f679df6b2f6a469
    SHA512: 2d7e0f5ad766e2a12a1b53ff838e6bfe86244ffb7202196769c25e9df6f71f3ccdd8605e7ef35c53e54310bc82caf6b368ad5111dd0a3ad70a3aae1a7be93f08

  o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.tar.gz

    SIZE: 13800260
    SHA1: a13b0915b7fb3dd0fe1ed6a4e3640034038ba6c9
    SHA256: 37f0d180afa56ec3e7a3669c6f1b6ee8a47a811261f0e1afa8f817c8b577bd68
    SHA512: 4e5068b73356a9fa0bd2c8aaa261909039653c62dc363dd8b36c9c73b11b9c4e6ade752d7c67f1b38c00e27a4861f94ce696158bd210035ea0b417d0887a329b

  o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.tar.xz

    SIZE: 9813812
    SHA1: adf24e0b0ad1755067435f21baa8d142bcaff5a9
    SHA256: a2a8f53ef14b891821dbbf67b081d7b9e223007a347000ff4a86a226a4708272
    SHA512: 5f51a8312c23c1c2bfbb9c59efbd789492a4a7e4b1d4e7764db6eaaa542008e814b40817f10825e22c7fa8715fb9187be5d09b06128da211559b3601785937ea

  o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.zip

    SIZE: 15322048
    SHA1: 756a206a5f91c1237432f693b157a6842039d760
    SHA256: a84e1c946761b1ed947194b6248a50f9aee21ca412dcd6021973951fd846a035
    SHA512: dcf7dead5baed4ffbd68016581ef1162f78729db9b5a49501a04d68d768e9138faa6e293c91dd9203a9a28d406bb236dd633688f1e96a07906e37db273ac8846

Release Comment

Thanks to everyone who helped with this release, especially, to reporters of
the vulnerability.

===============================================================================

Ruby 2.5.7 Released

Posted by usa on 1 Oct 2019

Ruby 2.5.7 has been released.

This release includes security fixes as listed below. Please check the topics
below for details.

  o CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
  o CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
  o CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
    File.fnmatch
  o CVE-2019-16201: Regular Expression Denial of Service vulnerability of
    WEBrick  s Digest access authentication

See the commit log for details.

Download

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.7.tar.bz2

    SIZE: 13794351
    SHA1: 51154b6bfed967b5acd7903790402172ced2563b
    SHA256: e67c69b141ed27158e47d9a4fe7e59749135b0f138dce06c8c15c3214543f56f
    SHA512: 7d6a7d41b4f3789f46be5f996099f3eb8321aa4778b2a8ff44142654e769ba4ba2df127dd0f267547e4c8cd6ff46364f18e79838df54fcd7e3fb714294ee0099

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.7.tar.gz

    SIZE: 15669771
    SHA1: 541039290d188fff683a1d2f2892bd74854dd022
    SHA256: 0b2d0d5e3451b6ab454f81b1bfca007407c0548dea403f1eba2e429da4add6d4
    SHA512: 6c4219e1ac316fb00cdd5ff2ac6292448e6ddf49f25eda91426f8e0072288e8849d5c623bf9d532b8e93997b23dddc24718921d92b74983aac8fdb50db4ee809

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.7.tar.xz

    SIZE: 11296440
    SHA1: dd6b2841334ee99250fdf6a29c4eda501df6be97
    SHA256: 201870e8f58957d542233fef588b1d76f7bf962fea44dcbd2237f4a5899a3f95
    SHA512: 63b7c75fab44cd1bd22f22ddec00c740cf379ac7240da0dfafcec54347766695faef47428ce1c433fd77fa96992e976c984697067fa526236d383b12adc9ce75

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.7.zip

    SIZE: 19051936
    SHA1: 2b761378ec667ca5980d37cb3c591bdf88c51e45
    SHA256: c56821bea150166c599195679c0629f8dfc16984aae0ed744bf306ef45abbd68
    SHA512: a5543a5b7dcee1d92c4edd874b1be92d5451402ce1320cc5c8f49188fa2243d70413f31b9e5cce7f434f1f37e6f8c3aef1be5407e5075eacbd7ca6836c67e6e3

Release Comment

Thanks to everyone who helped with this release.

The maintenance of Ruby 2.5, including this release, is based on the   
Agreement for the Ruby stable version   of the Ruby Association.

===============================================================================

Ruby 2.6.5 Released

Posted by nagachika on 1 Oct 2019

Ruby 2.6.5 has been released.

This release includes security fixes. Please check the topics below for
details.

  o CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
  o CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
  o CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
    File.fnmatch
  o CVE-2019-16201: Regular Expression Denial of Service vulnerability of
    WEBrick  s Digest access authentication

See the commit logs for changes in detail.

Download

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.5.tar.bz2

    SIZE: 14134619
    SHA1: d959802f994594f3296362883b5ce7edf5e6e465
    SHA256: 97ddf1b922f83c1f5c50e75bf54e27bba768d75fea7cda903b886c6745e60f0a
    SHA512: 28e0b04ac8ca85203eb8939137b5e5de4850c933faf7f62fc69648fe1886faaabf6cdf48382f9d9585c1720876d10b41dafd33efaeb23341c309917fbd8a6e21

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.5.tar.gz

    SIZE: 16172159
    SHA1: 1416ce288fb8bfeae07a12b608540318c9cace71
    SHA256: 66976b716ecc1fd34f9b7c3c2b07bbd37631815377a2e3e85a5b194cfdcbed7d
    SHA512: 7ab7a0cdaf4863152efc86dbcfada7f10ab3fe33590eee3b6ab7b26fc27835a8a0ded4ec02b58e9969175582a2be5410da3dc9f8694a3cd2db97708bd72773e1

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.5.tar.xz

    SIZE: 11553580
    SHA1: 575d3f68cbfa753fb07b538824711214f859b9c0
    SHA256: d5d6da717fd48524596f9b78ac5a2eeb9691753da5c06923a6c31190abe01a62
    SHA512: e8ae3b5d4d23a93d0ef6057235ad0e573665a8b4b6544e1c70b4cce9c4d2fb9094e5c8fe8a9ab7b9996efe3ada603f9b4ef1fd08fb5a83253c1ae2b5e3f202db

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.5.zip

    SIZE: 19839803
    SHA1: 66d850ea8275615b1282ef832c34645bbf9ebb16
    SHA256: 9455170dd264f69bd92ab0f4f30e5bdfc1ecafe32568114f1588a3850ca6e5fd
    SHA512: b9f54090f982695d92fc555cd1090db34496284edc69e335a16dea0d3189a33847464d1d1b701599bdabad0688efdf43cbbea41426f816a666d8ba7ccae6b5cf

Release Comment

Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXZPbAWaOgq3Tt24GAQicYQ//TcgwXDYTnEqbJMl8s9r6MXmmZgVYhrYz
dw6YdxmlP8IfNdFfpzjk2ygVi4pThfgNwO+y7xhmLJcADHO1eILAsBXi9Kp18ote
Kk9+dT5ajLiaCvSBE1PCI8FmfKZndEFAY4D3Hq2nunVC16GxbEhaje+wXcMYWyj3
RNMWyBfAS5mOfIRr4gVys+fpD1sQUSbmonM2rboZTtE3foGPktRBCHPj1ZkWhv7O
eKVOoiDllrChgKgrorhmpBIH8h/vgDKvVBmkFPvA2UOeg4zH2mMJ+kya3bW1BVen
2Q5WTpLPyZ7CIUCXsOw63rfvWOHzakEvbuH0cBxRNxzVf42gLBITseWcz3EYunTU
UQrPEwTRP4fr6u4SSZvzwr9GW83A8TE3kCMoIWJu57GFl6f4Tl+ie4XzElO1v852
ATdzPBtCVN+Gy0E/3XTt8PQuwZr+e8lUUwvTknOTqJMU+Nhrh+9UndBiPLWahHnd
8H2TKGt70RW5hMb6HnBAyPWBEPjnWsaYmzRp1PbSBzRzJm7UJ802DSGEeRqhySmf
U2NUaBO7hcle7XHtD0LjkEoQXA8STCloXRjPNQW9WesJixiAW2ukU+aknmSoghNR
tr9988bGDgTmgMq7hkXpmSJdeY5mEoZ1SJf8zWzosy9Yv1ZHBdBZJqP50eJluGpx
b3P0phU9rcM=
=wlHD
-----END PGP SIGNATURE-----