MGASA-2019-0408 - Updated ruby packages fix security vulnerabilities

Publication date: 25 Dec 2019
URL: https://advisories.mageia.org/MGASA-2019-0408.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-15845,
     CVE-2019-16201,
     CVE-2019-16254,
     CVE-2019-16255

Updated ruby packages fix security vulnerabilities:

It was discovered that Ruby incorrectly handled certain files. An attacker
could possibly use this issue to pass path matching what can lead to an
unauthorized access (CVE-2019-15845).

It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could use this issue to cause a denial of service
(CVE-2019-16201).

It was discovered that Ruby incorrectly handled certain HTTP headers. An
attacker could possibly use this issue to execute arbitrary code
(CVE-2019-16254).

It was discovered that Ruby incorrectly handled certain inputs. An attacker
could possibly use this issue to execute arbitrary code (CVE-2019-16255).

References:
- https://bugs.mageia.org/show_bug.cgi?id=25564
- https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
- https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
- https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
- https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/
- https://usn.ubuntu.com/4201-1/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255

SRPMS:
- 7/core/ruby-2.5.7-20.mga7