Import original articles

Author: yous

ko/news/_posts/2019-10-01-code-injection-shell-test-cve-2019-16255.md

@@ -0,0 +1,36 @@
+---
+layout: news_post
+title: "CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test"
+author: "mame"
+translator:
+date: 2019-10-01 11:00:00 +0000
+tags: security
+lang: en
+---
+
+A code injection vulnerability of Shell#[] and Shell#test in a standard library (lib/shell.rb) was found.  The vulnerability has been assigned the CVE identifier [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255).
+
+## Details
+
+Shell#[] and its alias Shell#test defined in lib/shell.rb allow code injection if the first argument (aka the "command" argument) is untrusted data.  An attacker can exploit this to call an arbitrary Ruby method.
+
+Note that passing untrusted data to methods of Shell is dangerous in general.  Users must never do it.  However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#test is considered file testing.
+
+All users running an affected release should upgrade immediately.
+
+## Affected Versions
+
+* All releases that are Ruby 2.3 or earlier
+* Ruby 2.4 series: Ruby 2.4.7 or earlier
+* Ruby 2.5 series: Ruby 2.5.6 or earlier
+* Ruby 2.6 series: Ruby 2.6.4 or earlier
+* Ruby 2.7.0-preview1
+
+## Acknowledgement
+
+Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for discovering this issue.
+
+## History
+
+* Originally published at 2019-10-01 11:00:00 (UTC)
+* Fixed minor spelling problem at 2019-10-05 12:00:00 (UTC)

ko/news/_posts/2019-10-01-http-response-splitting-in-webrick-cve-2019-16254.md

@@ -0,0 +1,36 @@
+---
+layout: news_post
+title: "CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)"
+author: "mame"
+translator:
+date: 2019-10-01 11:00:00 +0000
+tags: security
+lang: en
+---
+
+There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby. This vulnerability has been assigned the CVE identifier [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254).
+
+## Details
+
+If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.
+
+This is the same issue as [CVE-2017-17742](https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/).  The previous fix was incomplete, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
+
+All users running an affected release should upgrade immediately.
+
+## Affected Versions
+
+* All releases that are Ruby 2.3 or earlier
+* Ruby 2.4 series: Ruby 2.4.7 or earlier
+* Ruby 2.5 series: Ruby 2.5.6 or earlier
+* Ruby 2.6 series: Ruby 2.6.4 or earlier
+* Ruby 2.7.0-preview1
+* prior to master commit 3ce238b5f9795581eb84114dcfbdf4aa086bfecc
+
+## Acknowledgement
+
+Thanks to [znz](https://hackerone.com/znz) for discovering this issue.
+
+## History
+
+* Originally published at 2019-10-01 11:00:00 (UTC)

ko/news/_posts/2019-10-01-nul-injection-file-fnmatch-cve-2019-15845.md

@@ -0,0 +1,35 @@
+---
+layout: news_post
+title: "CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?"
+author: "mame"
+translator:
+date: 2019-10-01 11:00:00 +0000
+tags: security
+lang: en
+---
+
+A NUL injection vulnerability of Ruby built-in methods (`File.fnmatch` and `File.fnmatch?`) was found.  An attacker who has the control of the path pattern parameter could exploit this vulnerability to make path matching pass despite the intention of the program author.
+[CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845) has been assigned to this vulnerability.
+
+## Details
+
+Built-in methods `File.fnmatch` and its alias `File.fnmatch?` accept the path pattern as their first parameter.  When the pattern contains NUL character (`\0`), the methods recognize that the path pattern ends immediately before the NUL byte.  Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter.
+
+All users running any affected releases should upgrade as soon as possible.
+
+## Affected Versions
+
+* All releases that are Ruby 2.3 or earlier
+* Ruby 2.4 series: Ruby 2.4.7 or earlier
+* Ruby 2.5 series: Ruby 2.5.6 or earlier
+* Ruby 2.6 series: Ruby 2.6.4 or earlier
+* Ruby 2.7.0-preview1
+* prior to master commit a0a2640b398cffd351f87d3f6243103add66575b
+
+## Acknowledgement
+
+Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for discovering this issue.
+
+## History
+
+* Originally published at 2019-10-01 11:00:00 (UTC)

ko/news/_posts/2019-10-01-ruby-2-4-8-released.md

@@ -0,0 +1,61 @@
+---
+layout: news_post
+title: "Ruby 2.4.8 Released"
+author: "usa"
+translator:
+date: 2019-10-01 11:00:00 +0000
+lang: en
+---
+
+Ruby 2.4.8 has been released.
+
+This release includes security fixes.
+Please check the topics below for details.
+
+* [CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test]({% link en/news/_posts/2019-10-01-code-injection-shell-test-cve-2019-16255.md %})
+* [CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)]({% link en/news/_posts/2019-10-01-http-response-splitting-in-webrick-cve-2019-16254.md %})
+* [CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?]({% link en/news/_posts/2019-10-01-nul-injection-file-fnmatch-cve-2019-15845.md %})
+* [CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication]({% link en/news/_posts/2019-10-01-webrick-regexp-digestauth-dos-cve-2019-16201.md %})
+
+Ruby 2.4 is now under the state of the security maintenance phase, until
+the end of March of 2020.  After that date, maintenance of Ruby 2.4
+will be ended. We recommend you start planning the migration to newer
+versions of Ruby, such as 2.6 or 2.5.
+
+__Update (Oct 2nd 4:00 UTC):__ We're working on the issue that the Ruby 2.4.8 release tarball doesn't install under _non-root_ user. Follow [[Bug #16197]](https://bugs.ruby-lang.org/issues/16197) for detailed updates.
+
+## Download
+
+{% assign release = site.data.releases | where: "version", "2.4.8" | first %}
+
+* <{{ release.url.bz2 }}>
+
+      SIZE: {{ release.size.bz2 }}
+      SHA1: {{ release.sha1.bz2 }}
+      SHA256: {{ release.sha256.bz2 }}
+      SHA512: {{ release.sha512.bz2 }}
+
+* <{{ release.url.gz }}>
+
+      SIZE: {{ release.size.gz }}
+      SHA1: {{ release.sha1.gz }}
+      SHA256: {{ release.sha256.gz }}
+      SHA512: {{ release.sha512.gz }}
+
+* <{{ release.url.xz }}>
+
+      SIZE: {{ release.size.xz }}
+      SHA1: {{ release.sha1.xz }}
+      SHA256: {{ release.sha256.xz }}
+      SHA512: {{ release.sha512.xz }}
+
+* <{{ release.url.zip }}>
+
+      SIZE: {{ release.size.zip }}
+      SHA1: {{ release.sha1.zip }}
+      SHA256: {{ release.sha256.zip }}
+      SHA512: {{ release.sha512.zip }}
+
+## Release Comment
+
+Thanks to everyone who helped with this release, especially, to reporters of the vulnerability.

ko/news/_posts/2019-10-01-ruby-2-5-7-released.md

@@ -0,0 +1,58 @@
+---
+layout: news_post
+title: "Ruby 2.5.7 Released"
+author: "usa"
+translator:
+date: 2019-10-01 11:00:00 +0000
+lang: en
+---
+
+Ruby 2.5.7 has been released.
+
+This release includes security fixes as listed below.
+Please check the topics below for details.
+
+* [CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test]({% link en/news/_posts/2019-10-01-code-injection-shell-test-cve-2019-16255.md %})
+* [CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)]({% link en/news/_posts/2019-10-01-http-response-splitting-in-webrick-cve-2019-16254.md %})
+* [CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?]({% link en/news/_posts/2019-10-01-nul-injection-file-fnmatch-cve-2019-15845.md %})
+* [CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication]({% link en/news/_posts/2019-10-01-webrick-regexp-digestauth-dos-cve-2019-16201.md %})
+
+See the [commit log](https://github.com/ruby/ruby/compare/v2_5_6...v2_5_7) for details.
+
+## Download
+
+{% assign release = site.data.releases | where: "version", "2.5.7" | first %}
+
+* <{{ release.url.bz2 }}>
+
+      SIZE: {{ release.size.bz2 }}
+      SHA1: {{ release.sha1.bz2 }}
+      SHA256: {{ release.sha256.bz2 }}
+      SHA512: {{ release.sha512.bz2 }}
+
+* <{{ release.url.gz }}>
+
+      SIZE: {{ release.size.gz }}
+      SHA1: {{ release.sha1.gz }}
+      SHA256: {{ release.sha256.gz }}
+      SHA512: {{ release.sha512.gz }}
+
+* <{{ release.url.xz }}>
+
+      SIZE: {{ release.size.xz }}
+      SHA1: {{ release.sha1.xz }}
+      SHA256: {{ release.sha256.xz }}
+      SHA512: {{ release.sha512.xz }}
+
+* <{{ release.url.zip }}>
+
+      SIZE: {{ release.size.zip }}
+      SHA1: {{ release.sha1.zip }}
+      SHA256: {{ release.sha256.zip }}
+      SHA512: {{ release.sha512.zip }}
+
+## Release Comment
+
+Thanks to everyone who helped with this release.
+
+The maintenance of Ruby 2.5, including this release, is based on the "Agreement for the Ruby stable version" of the Ruby Association.

ko/news/_posts/2019-10-01-ruby-2-6-5-released.md

@@ -0,0 +1,57 @@
+---
+layout: news_post
+title: "Ruby 2.6.5 Released"
+author: "nagachika"
+translator:
+date: 2019-10-01 11:00:00 +0000
+lang: en
+---
+
+Ruby 2.6.5 has been released.
+
+This release includes security fixes.
+Please check the topics below for details.
+
+* [CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test]({% link en/news/_posts/2019-10-01-code-injection-shell-test-cve-2019-16255.md %})
+* [CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)]({% link en/news/_posts/2019-10-01-http-response-splitting-in-webrick-cve-2019-16254.md %})
+* [CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?]({% link en/news/_posts/2019-10-01-nul-injection-file-fnmatch-cve-2019-15845.md %})
+* [CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication]({% link en/news/_posts/2019-10-01-webrick-regexp-digestauth-dos-cve-2019-16201.md %})
+
+See the [commit logs](https://github.com/ruby/ruby/compare/v2_6_4...v2_6_5) for changes in detail.
+
+## Download
+
+{% assign release = site.data.releases | where: "version", "2.6.5" | first %}
+
+* <{{ release.url.bz2 }}>
+
+      SIZE: {{ release.size.bz2 }}
+      SHA1: {{ release.sha1.bz2 }}
+      SHA256: {{ release.sha256.bz2 }}
+      SHA512: {{ release.sha512.bz2 }}
+
+* <{{ release.url.gz }}>
+
+      SIZE: {{ release.size.gz }}
+      SHA1: {{ release.sha1.gz }}
+      SHA256: {{ release.sha256.gz }}
+      SHA512: {{ release.sha512.gz }}
+
+* <{{ release.url.xz }}>
+
+      SIZE: {{ release.size.xz }}
+      SHA1: {{ release.sha1.xz }}
+      SHA256: {{ release.sha256.xz }}
+      SHA512: {{ release.sha512.xz }}
+
+* <{{ release.url.zip }}>
+
+      SIZE: {{ release.size.zip }}
+      SHA1: {{ release.sha1.zip }}
+      SHA256: {{ release.sha256.zip }}
+      SHA512: {{ release.sha512.zip }}
+
+## Release Comment
+
+Many committers, developers, and users who provided bug reports helped us make this release.
+Thanks for their contributions.

ko/news/_posts/2019-10-01-webrick-regexp-digestauth-dos-cve-2019-16201.md

@@ -0,0 +1,32 @@
+---
+layout: news_post
+title: "CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication"
+author: "mame"
+translator:
+date: 2019-10-01 11:00:00 +0000
+tags: security
+lang: en
+---
+
+Regular expression denial of service vulnerability of WEBrick's Digest authentication module was found.  An attacker can exploit this vulnerability to cause an effective denial of service against a WEBrick service.
+
+[CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201) has been assigned to this vulnerability.
+
+All users running any affected releases should upgrade as soon as possible.
+
+## Affected Versions
+
+* All releases that are Ruby 2.3 or earlier
+* Ruby 2.4 series: Ruby 2.4.7 or earlier
+* Ruby 2.5 series: Ruby 2.5.6 or earlier
+* Ruby 2.6 series: Ruby 2.6.4 or earlier
+* Ruby 2.7.0-preview1
+* prior to master commit 36e057e26ef2104bc2349799d6c52d22bb1c7d03
+
+## Acknowledgement
+
+Thanks to [358](https://hackerone.com/358) for discovering this issue.
+
+## History
+
+* Originally published at 2019-10-01 11:00:00 (UTC)