Errata overview
Errata ID 625
Date 2019-12-18
Source package ruby2.3
Fixed in version 2.3.3-1+deb9u7
This update addresses the following issues:
* Ruby allows HTTP Response Splitting. If a program using WEBrick inserts
  untrusted input into the response header, an attacker can exploit it to
  insert a newline character to split a header, and inject malicious content
  to deceive clients. NOTE: this issue exists because of an incomplete fix
  for CVE-2017-17742, which addressed the CRLF vector, but did not address an
  isolated CR or an isolated LF. (CVE-2019-16254)
* Ruby mishandles path checking within File.fnmatch functions.
* Regular expression denial of service vulnerability of WEBrick's Digest
  access authentication (CVE-2019-16201)
* Ruby allows code injection if the first argument (aka the "command"
  argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An
  attacker can exploit this to call an arbitrary Ruby method.
Additional notes
CVE ID CVE-2019-15845
UCS Bug number #50655