CVE-2019-16201

Published: 20 November 2019

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.

From the Ubuntu security team

It was discovered that WEBrick as provided by JRuby was vulnerable to a denial of service attack due to catastrophic backtracking in certain regular expressions. An attacker could use this vulnerability to cause JRuby to consume system resources.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
jruby
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

ruby2.3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (2.3.1-2~ubuntu16.04.14)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby2.5
Launchpad, Ubuntu, Debian
Upstream
Released (2.5.7-1)
Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.5.1-1ubuntu1.6)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03 (master)
Upstream: https://github.com/ruby/ruby/commit/05cdcdc6ec7f0777ba56100308e54e97e277293f (2.5.x)