Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3678 Ruby 2.4.8/2.5.7/2.6.5 released 2 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Publisher: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-16255 CVE-2019-16254 CVE-2019-16201 CVE-2019-15845 Original Bulletin: https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released/ https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/ https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/ https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/ https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/ Comment: This bulletin contains three (3) Ruby security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Ruby 2.4.8 Released Posted by usa on 1 Oct 2019 Ruby 2.4.8 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test o CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix) o CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch o CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick s Digest access authentication Ruby 2.4 is now under the state of the security maintenance phase, until the end of March of 2020. After that date, maintenance of Ruby 2.4 will be ended. We recommend you start planning the migration to newer versions of Ruby, such as 2.6 or 2.5. Download o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.tar.bz2 SIZE: 12204030 SHA1: 5f742a8df243fa4e216ff6f0c26cc8222a182459 SHA256: e30eedd91386bec81489d2637522c9017aebba46f98e8b502f679df6b2f6a469 SHA512: 2d7e0f5ad766e2a12a1b53ff838e6bfe86244ffb7202196769c25e9df6f71f3ccdd8605e7ef35c53e54310bc82caf6b368ad5111dd0a3ad70a3aae1a7be93f08 o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.tar.gz SIZE: 13800260 SHA1: a13b0915b7fb3dd0fe1ed6a4e3640034038ba6c9 SHA256: 37f0d180afa56ec3e7a3669c6f1b6ee8a47a811261f0e1afa8f817c8b577bd68 SHA512: 4e5068b73356a9fa0bd2c8aaa261909039653c62dc363dd8b36c9c73b11b9c4e6ade752d7c67f1b38c00e27a4861f94ce696158bd210035ea0b417d0887a329b o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.tar.xz SIZE: 9813812 SHA1: adf24e0b0ad1755067435f21baa8d142bcaff5a9 SHA256: a2a8f53ef14b891821dbbf67b081d7b9e223007a347000ff4a86a226a4708272 SHA512: 5f51a8312c23c1c2bfbb9c59efbd789492a4a7e4b1d4e7764db6eaaa542008e814b40817f10825e22c7fa8715fb9187be5d09b06128da211559b3601785937ea o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.zip SIZE: 15322048 SHA1: 756a206a5f91c1237432f693b157a6842039d760 SHA256: a84e1c946761b1ed947194b6248a50f9aee21ca412dcd6021973951fd846a035 SHA512: dcf7dead5baed4ffbd68016581ef1162f78729db9b5a49501a04d68d768e9138faa6e293c91dd9203a9a28d406bb236dd633688f1e96a07906e37db273ac8846 Release Comment Thanks to everyone who helped with this release, especially, to reporters of the vulnerability. =============================================================================== Ruby 2.5.7 Released Posted by usa on 1 Oct 2019 Ruby 2.5.7 has been released. This release includes security fixes as listed below. Please check the topics below for details. o CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test o CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix) o CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch o CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick s Digest access authentication See the commit log for details. Download o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.7.tar.bz2 SIZE: 13794351 SHA1: 51154b6bfed967b5acd7903790402172ced2563b SHA256: e67c69b141ed27158e47d9a4fe7e59749135b0f138dce06c8c15c3214543f56f SHA512: 7d6a7d41b4f3789f46be5f996099f3eb8321aa4778b2a8ff44142654e769ba4ba2df127dd0f267547e4c8cd6ff46364f18e79838df54fcd7e3fb714294ee0099 o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.7.tar.gz SIZE: 15669771 SHA1: 541039290d188fff683a1d2f2892bd74854dd022 SHA256: 0b2d0d5e3451b6ab454f81b1bfca007407c0548dea403f1eba2e429da4add6d4 SHA512: 6c4219e1ac316fb00cdd5ff2ac6292448e6ddf49f25eda91426f8e0072288e8849d5c623bf9d532b8e93997b23dddc24718921d92b74983aac8fdb50db4ee809 o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.7.tar.xz SIZE: 11296440 SHA1: dd6b2841334ee99250fdf6a29c4eda501df6be97 SHA256: 201870e8f58957d542233fef588b1d76f7bf962fea44dcbd2237f4a5899a3f95 SHA512: 63b7c75fab44cd1bd22f22ddec00c740cf379ac7240da0dfafcec54347766695faef47428ce1c433fd77fa96992e976c984697067fa526236d383b12adc9ce75 o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.7.zip SIZE: 19051936 SHA1: 2b761378ec667ca5980d37cb3c591bdf88c51e45 SHA256: c56821bea150166c599195679c0629f8dfc16984aae0ed744bf306ef45abbd68 SHA512: a5543a5b7dcee1d92c4edd874b1be92d5451402ce1320cc5c8f49188fa2243d70413f31b9e5cce7f434f1f37e6f8c3aef1be5407e5075eacbd7ca6836c67e6e3 Release Comment Thanks to everyone who helped with this release. The maintenance of Ruby 2.5, including this release, is based on the Agreement for the Ruby stable version of the Ruby Association. =============================================================================== Ruby 2.6.5 Released Posted by nagachika on 1 Oct 2019 Ruby 2.6.5 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test o CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix) o CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch o CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick s Digest access authentication See the commit logs for changes in detail. Download o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.5.tar.bz2 SIZE: 14134619 SHA1: d959802f994594f3296362883b5ce7edf5e6e465 SHA256: 97ddf1b922f83c1f5c50e75bf54e27bba768d75fea7cda903b886c6745e60f0a SHA512: 28e0b04ac8ca85203eb8939137b5e5de4850c933faf7f62fc69648fe1886faaabf6cdf48382f9d9585c1720876d10b41dafd33efaeb23341c309917fbd8a6e21 o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.5.tar.gz SIZE: 16172159 SHA1: 1416ce288fb8bfeae07a12b608540318c9cace71 SHA256: 66976b716ecc1fd34f9b7c3c2b07bbd37631815377a2e3e85a5b194cfdcbed7d SHA512: 7ab7a0cdaf4863152efc86dbcfada7f10ab3fe33590eee3b6ab7b26fc27835a8a0ded4ec02b58e9969175582a2be5410da3dc9f8694a3cd2db97708bd72773e1 o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.5.tar.xz SIZE: 11553580 SHA1: 575d3f68cbfa753fb07b538824711214f859b9c0 SHA256: d5d6da717fd48524596f9b78ac5a2eeb9691753da5c06923a6c31190abe01a62 SHA512: e8ae3b5d4d23a93d0ef6057235ad0e573665a8b4b6544e1c70b4cce9c4d2fb9094e5c8fe8a9ab7b9996efe3ada603f9b4ef1fd08fb5a83253c1ae2b5e3f202db o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.5.zip SIZE: 19839803 SHA1: 66d850ea8275615b1282ef832c34645bbf9ebb16 SHA256: 9455170dd264f69bd92ab0f4f30e5bdfc1ecafe32568114f1588a3850ca6e5fd SHA512: b9f54090f982695d92fc555cd1090db34496284edc69e335a16dea0d3189a33847464d1d1b701599bdabad0688efdf43cbbea41426f816a666d8ba7ccae6b5cf Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXZPbAWaOgq3Tt24GAQicYQ//TcgwXDYTnEqbJMl8s9r6MXmmZgVYhrYz dw6YdxmlP8IfNdFfpzjk2ygVi4pThfgNwO+y7xhmLJcADHO1eILAsBXi9Kp18ote Kk9+dT5ajLiaCvSBE1PCI8FmfKZndEFAY4D3Hq2nunVC16GxbEhaje+wXcMYWyj3 RNMWyBfAS5mOfIRr4gVys+fpD1sQUSbmonM2rboZTtE3foGPktRBCHPj1ZkWhv7O eKVOoiDllrChgKgrorhmpBIH8h/vgDKvVBmkFPvA2UOeg4zH2mMJ+kya3bW1BVen 2Q5WTpLPyZ7CIUCXsOw63rfvWOHzakEvbuH0cBxRNxzVf42gLBITseWcz3EYunTU UQrPEwTRP4fr6u4SSZvzwr9GW83A8TE3kCMoIWJu57GFl6f4Tl+ie4XzElO1v852 ATdzPBtCVN+Gy0E/3XTt8PQuwZr+e8lUUwvTknOTqJMU+Nhrh+9UndBiPLWahHnd 8H2TKGt70RW5hMb6HnBAyPWBEPjnWsaYmzRp1PbSBzRzJm7UJ802DSGEeRqhySmf U2NUaBO7hcle7XHtD0LjkEoQXA8STCloXRjPNQW9WesJixiAW2ukU+aknmSoghNR tr9988bGDgTmgMq7hkXpmSJdeY5mEoZ1SJf8zWzosy9Yv1ZHBdBZJqP50eJluGpx b3P0phU9rcM= =wlHD -----END PGP SIGNATURE-----