svn commit: r513606 - head/security/vuxml
Sunpoet Po-Chuan Hsieh
sunpoet at FreeBSD.org
Wed Oct 2 19:24:51 UTC 2019
Author: sunpoet
Date: Wed Oct 2 19:24:50 2019
New Revision: 513606
URL: https://svnweb.freebsd.org/changeset/ports/513606
Log:
Document ruby vulnerability
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Wed Oct 2 19:24:18 2019 (r513605)
+++ head/security/vuxml/vuln.xml Wed Oct 2 19:24:50 2019 (r513606)
@@ -58,6 +58,64 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="f7fcb75c-e537-11e9-863e-b9b7af01ba9e">
+ <topic>ruby -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>ruby</name>
+ <range><ge>2.4.0,1</ge><lt>2.4.9,1</lt></range>
+ <range><ge>2.5.0,1</ge><lt>2.5.7,1</lt></range>
+ <range><ge>2.6.0,1</ge><lt>2.6.5,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Ruby news:</p>
+ <blockquote cite="https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/">
+ <p>This release includes security fixes. Please check the topics below for
+ details.</p>
+ <p>CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
+ File.fnmatch?</p>
+ <p>A NUL injection vulnerability of Ruby built-in methods (File.fnmatch
+ and File.fnmatch?) was found. An attacker who has the control of the
+ path pattern parameter could exploit this vulnerability to make path
+ matching pass despite the intention of the program author.</p>
+ <p>CVE-2019-16201: Regular Expression Denial of Service vulnerability of
+ WEBrick's Digest access authentication</p>
+ <p>Regular expression denial of service vulnerability of WEBrick's Digest
+ authentication module was found. An attacker can exploit this
+ vulnerability to cause an effective denial of service against a WEBrick
+ service.</p>
+ <p>CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)</p>
+ <p>There is an HTTP response splitting vulnerability in WEBrick bundled
+ with Ruby.</p>
+ <p>CVE-2019-16255: A code injection vulnerability of Shell#[] and
+ Shell#test</p>
+ <p>A code injection vulnerability of Shell#[] and Shell#test in a standard
+ library (lib/shell.rb) was found.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/</url>
+ <url>https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/</url>
+ <url>https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released/</url>
+ <url>https://www.ruby-lang.org/en/news/2019/10/02/ruby-2-4-9-released/</url>
+ <url>https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/</url>
+ <url>https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/</url>
+ <url>https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/</url>
+ <url>https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/</url>
+ <cvename>CVE-2019-15845</cvename>
+ <cvename>CVE-2019-16201</cvename>
+ <cvename>CVE-2019-16254</cvename>
+ <cvename>CVE-2019-16255</cvename>
+ </references>
+ <dates>
+ <discovery>2019-10-01</discovery>
+ <entry>2019-10-02</entry>
+ </dates>
+ </vuln>
+
<vuln vid="0762fa72-e530-11e9-86e9-001b217b3468">
<topic>Gitlab -- Disclosure Vulnerabilities</topic>
<affects>
More information about the svn-ports-head
mailing list