Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4448 ruby2.1 security update 26 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby2.1 Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-16255 CVE-2019-16254 CVE-2019-16201 CVE-2019-15845 CVE-2017-17742 Reference: ESB-2019.3678 ESB-2018.3348.2 ESB-2018.1258 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : ruby2.1 Version : 2.1.5-2+deb8u8 CVE ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 Several flaws have been found in ruby2.1, an interpreter of an object-oriented scripting language. CVE-2019-15845 Path matching might pass in File.fnmatch and File.fnmatch? due to a NUL character injection. CVE-2019-16201 A loop caused by a wrong regular expression could lead to a denial of service of a WEBrick service. CVE-2019-16254 This is the same issue as CVE-2017-17742, whose fix was not complete. CVE-2019-16255 Giving untrusted data to the first argument of Shell#[] and Shell#test might lead to a code injection vulnerability. For Debian 8 "Jessie", these problems have been fixed in version 2.1.5-2+deb8u8. We recommend that you upgrade your ruby2.1 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl3cRo1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeXqA//SylqCXajSwQ/Cs81H959kOvNSsZgM/5VvoEhZjSWDC3dj2HKjVs6Q5RC uUL/X5hfyvySo4vlVer+KfBiKOc1XqZ5D1wSW5eVm2sTVhJe7IGZxEkYgZVDlZQ3 LSP7g+IWDvy531N+dSOwRAV34yMyj62UGlqo7z8x9f+BasCJlACvAsiEO+XQqTbE fUJofVQtqcPpyrWzS5TBKKb8YDci3KwwaHZH+SMgRfXkTnJHLcW3CmAvmGelvKoW BpYezIr2sVtzYfRP8xbyFUetiCwbUPVWUUkNb6agkXqC6ACbSYNixObkSEBHDzpk ySHHV3RkS6mO+mWYlR2ZBHu19NoL7+fFuDNMjP1PsU+Vc6O57RUudOigySL1nzfB 251e4pEbbUgeGKf5bSxFf7WYkmoYyLxgIbbEN2eUKrxYRs9/2FCOSc9ZfOIAl/MC l65Kzgy/7KGBA3RyNuYJFpolH/ui2q4JtZXde9V+NlMX2vz2zXfoyBzW3QLWCX4H OUZKKynt3muFfC0v7SzNOOTI1y735MexfhNgM7Ok1AGOUQqyLTTBMryaF89srPOW BEMbhXgaXOVeruKkCwam3FTMVb0kmf0smT/1HoSrkGBzvvOXXxRsxfUhYWVTidnw F+DoMSYo3QUyNY4qJsg7b2EiEwTXRU1vhivulPQBNGaWAvvkwag= =df4E - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXdynO2aOgq3Tt24GAQj2MQ//bG6+1fDrb5okj+Z4W8wdX40RlqU6tkES 6lP6u2+bSPl3NKIoJzTxfybAtqmSagtd+u3Ys/7/RtyR1QmvlpJSo3LBWOID2RqF 9htKz2Z83icbVHc/7Y4DAYbxdRQQT/2nSfUgwyZzjFIVscQmeuUo2P7SodU9IaSb miBxwHtPC7z5+3UpA0Ap4ChmlpaKPGYVl0akUkxe2mArlqgfIbKgLJypFx2vFbjs G/3Dw18DKQedsFIXJyAGqATFwX1DAV6dcp/kvzwT563rB8+v9KiN1gMp3W2w4SGU bTVcqQ/R+D8qbLnI2RJpNGMjRE/o6+pJat84tfWksS/Bh2U2t+ult+EOGzQVs8Gf BY69p7F7N1RMqbhcZ+CqWXtZuSypAg78VaEZLYm1/vEetlP98sTofZxFrG/qHEtE P7cKfTfn8ZlSXitfPG4ZkUPd4RT+FyfVw1YOHXnRaIwasTWnoU1tebIOanUVr8mz jcxzUKm3K3UMVHofQYPoEECpnvXxQw7zdoj+8u7ne7x3BRyp8pmfZRuR34CXh9ZI nT3tDCE3ef7J29y6jO+x1qOIAaoRcnFLONWApTQKH1q78kOBgW4wH4OGqTsvGMbm 8+ELUlWQotrenw6uDp/6Z/2u3fW4WeWjr+rOUXldsaTDm4NprvQRR1io8EeXNc6n xM0OP7zTjF8= =f2sY -----END PGP SIGNATURE-----