rh-ruby25-ruby-2.5.9-9.el7

Ruby is an extensible, interpreted, object-oriented, scripting language. It has
features to process text files and to perform system management tasks.

The following packages have been upgraded to a later upstream version:
rh-ruby25-ruby (2.5.9).

Security Fix(es):

* ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?
(CVE-2019-15845)
* ruby: Regular expression denial of service vulnerability of WEBrick's Digest
authentication (CVE-2019-16201)
* ruby: Code injection via command argument of Shell#test / Shell#[]
(CVE-2019-16255)
* rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)
* ruby: BasicSocket#read_nonblock method leads to information disclosure
(CVE-2020-10933)
* ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)
* ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)
* ruby: HTTP response splitting in WEBrick (CVE-2019-16254)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Bug Fix(es):

* rh-ruby25-ruby: Resolv::DNS: timeouts if multiple IPv6 name servers are
given and address contains leading zero [rhscl-3]

CVE-2019-15845
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path
checking within File.fnmatch functions.
CVE-2019-16201
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and
2.6.x through 2.6.4 has a regular expression Denial of Service cause by
looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth
to the Internet or a untrusted network.
CVE-2019-16254
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP
Response Splitting. If a program using WEBrick inserts untrusted input into the
response header, an attacker can exploit it to insert a newline character to
split a header, and inject malicious content to deceive clients. NOTE: this
issue exists because of an incomplete fix for CVE-2017-17742, which addressed
the CRLF vector, but did not address an isolated CR or an isolated LF.
CVE-2019-16255
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code
injection if the first argument (aka the "command" argument) to Shell#[] or
Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to
call an arbitrary Ruby method.
CVE-2020-10663
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5
through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation
Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor
garbage-collection behavior within Ruby. Specifically, use of JSON parsing
methods can lead to creation of a malicious object within the interpreter, with
adverse effects that are application-dependent.
CVE-2020-10933
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and
2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer,
exception: false), the method resizes the buffer to fit the requested size, but
no data is copied. Thus, the buffer string provides the previous value of the
heap. This may expose possibly sensitive data from the interpreter.
CVE-2020-25613
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x
through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked
the transfer-encoding header value rigorously. An attacker may potentially
exploit this issue to bypass a reverse proxy (which also has a poor header
check), which may lead to an HTTP Request Smuggling attack.
CVE-2021-28965
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x
before 3.0.1 does not properly address XML round-trip issues. An incorrect
document can be produced after parsing and serializing.