Date: Wed, 2 Oct 2019 19:24:50 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r513606 - head/security/vuxml Message-ID: <201910021924.x92JOo55063803@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Wed Oct 2 19:24:50 2019 New Revision: 513606 URL: https://svnweb.freebsd.org/changeset/ports/513606 Log: Document ruby vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Oct 2 19:24:18 2019 (r513605) +++ head/security/vuxml/vuln.xml Wed Oct 2 19:24:50 2019 (r513606) @@ -58,6 +58,64 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="f7fcb75c-e537-11e9-863e-b9b7af01ba9e"> + <topic>ruby -- multiple vulnerabilities</topic> + <affects> + <package> + <name>ruby</name> + <range><ge>2.4.0,1</ge><lt>2.4.9,1</lt></range> + <range><ge>2.5.0,1</ge><lt>2.5.7,1</lt></range> + <range><ge>2.6.0,1</ge><lt>2.6.5,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Ruby news:</p> + <blockquote cite="https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/">; + <p>This release includes security fixes. Please check the topics below for + details.</p> + <p>CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and + File.fnmatch?</p> + <p>A NUL injection vulnerability of Ruby built-in methods (File.fnmatch + and File.fnmatch?) was found. An attacker who has the control of the + path pattern parameter could exploit this vulnerability to make path + matching pass despite the intention of the program author.</p> + <p>CVE-2019-16201: Regular Expression Denial of Service vulnerability of + WEBrick's Digest access authentication</p> + <p>Regular expression denial of service vulnerability of WEBrick's Digest + authentication module was found. An attacker can exploit this + vulnerability to cause an effective denial of service against a WEBrick + service.</p> + <p>CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)</p> + <p>There is an HTTP response splitting vulnerability in WEBrick bundled + with Ruby.</p> + <p>CVE-2019-16255: A code injection vulnerability of Shell#[] and + Shell#test</p> + <p>A code injection vulnerability of Shell#[] and Shell#test in a standard + library (lib/shell.rb) was found.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/</url>; + <url>https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/</url>; + <url>https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released/</url>; + <url>https://www.ruby-lang.org/en/news/2019/10/02/ruby-2-4-9-released/</url>; + <url>https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/</url>; + <url>https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/</url>; + <url>https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/</url>; + <url>https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/</url>; + <cvename>CVE-2019-15845</cvename> + <cvename>CVE-2019-16201</cvename> + <cvename>CVE-2019-16254</cvename> + <cvename>CVE-2019-16255</cvename> + </references> + <dates> + <discovery>2019-10-01</discovery> + <entry>2019-10-02</entry> + </dates> + </vuln> + <vuln vid="0762fa72-e530-11e9-86e9-001b217b3468"> <topic>Gitlab -- Disclosure Vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201910021924.x92JOo55063803>