|Related CVE||CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255|
Several vulnerabilities have been discovered in the interpreter for the Ruby language, which could result in unauthorized access by bypassing intended path matchings, denial of service, or the execution of arbitrary code.
Ruby allows code injection if the first argument (aka the “command” argument) to Shell# or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
Ruby mishandles path checking within File.fnmatch functions.
Ruby allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
WEBrick::HTTPAuth::DigestAuth in Ruby has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
For Debian 7 Wheezy, these problems have been fixed in version 22.214.171.124-8.1+deb7u10.
We recommend that you upgrade your ruby1.9.1 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/