Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Oct 2019 19:24:50 +0000 (UTC)
From:      Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r513606 - head/security/vuxml
Message-ID:  <201910021924.x92JOo55063803@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: sunpoet
Date: Wed Oct  2 19:24:50 2019
New Revision: 513606
URL: https://svnweb.freebsd.org/changeset/ports/513606

Log:
  Document ruby vulnerability

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Oct  2 19:24:18 2019	(r513605)
+++ head/security/vuxml/vuln.xml	Wed Oct  2 19:24:50 2019	(r513606)
@@ -58,6 +58,64 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="f7fcb75c-e537-11e9-863e-b9b7af01ba9e">
+    <topic>ruby -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>ruby</name>
+	<range><ge>2.4.0,1</ge><lt>2.4.9,1</lt></range>
+	<range><ge>2.5.0,1</ge><lt>2.5.7,1</lt></range>
+	<range><ge>2.6.0,1</ge><lt>2.6.5,1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Ruby news:</p>
+	<blockquote cite="https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/">;
+	  <p>This release includes security fixes. Please check the topics below for
+	    details.</p>
+	  <p>CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
+	    File.fnmatch?</p>
+	  <p>A NUL injection vulnerability of Ruby built-in methods (File.fnmatch
+	    and File.fnmatch?) was found. An attacker who has the control of the
+	    path pattern parameter could exploit this vulnerability to make path
+	    matching pass despite the intention of the program author.</p>
+	  <p>CVE-2019-16201: Regular Expression Denial of Service vulnerability of
+	    WEBrick's Digest access authentication</p>
+	  <p>Regular expression denial of service vulnerability of WEBrick's Digest
+	    authentication module was found. An attacker can exploit this
+	    vulnerability to cause an effective denial of service against a WEBrick
+	    service.</p>
+	  <p>CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)</p>
+	  <p>There is an HTTP response splitting vulnerability in WEBrick bundled
+	    with Ruby.</p>
+	  <p>CVE-2019-16255: A code injection vulnerability of Shell#[] and
+	    Shell#test</p>
+	  <p>A code injection vulnerability of Shell#[] and Shell#test in a standard
+	    library (lib/shell.rb) was found.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/</url>;
+      <url>https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/</url>;
+      <url>https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released/</url>;
+      <url>https://www.ruby-lang.org/en/news/2019/10/02/ruby-2-4-9-released/</url>;
+      <url>https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/</url>;
+      <url>https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/</url>;
+      <url>https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/</url>;
+      <url>https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/</url>;
+      <cvename>CVE-2019-15845</cvename>
+      <cvename>CVE-2019-16201</cvename>
+      <cvename>CVE-2019-16254</cvename>
+      <cvename>CVE-2019-16255</cvename>
+    </references>
+    <dates>
+      <discovery>2019-10-01</discovery>
+      <entry>2019-10-02</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="0762fa72-e530-11e9-86e9-001b217b3468">
     <topic>Gitlab -- Disclosure Vulnerabilities</topic>
     <affects>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201910021924.x92JOo55063803>