A ruby1.9.1 security update has been released for Debian GNU/Linux 7 Extended LTS

ELA-201-1 ruby1.9.1 security update

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which could result in unauthorized access by bypassing intended path matchings, denial of service, or the execution of arbitrary code.

Package ruby1.9.1
Version 1.9.3.194-8.1+deb7u10
Related CVE CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255

CVE-2019-16255

Ruby allows code injection if the first argument (aka the “command” argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

CVE-2019-15845

Ruby mishandles path checking within File.fnmatch functions.

CVE-2019-16254

Ruby allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

CVE-2019-16201

WEBrick::HTTPAuth::DigestAuth in Ruby has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.

For Debian 7 Wheezy, these problems have been fixed in version 1.9.3.194-8.1+deb7u10.

We recommend that you upgrade your ruby1.9.1 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/