CVE-2014-4975 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4975): Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow.
CVE-2014-3916 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3916): The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string.
CVE-2014-4975 https://bugs.ruby-lang.org/issues/10019 As far as I can tell CVE-2014-4975 was fixed upstream for the 2.1 and 2.2 series only. Both 2.1.5 and 2.2.0 in tree are fixed. ruby-1.9.3_p551 and ruby-2.2.0_p598 do not have upstream fixes at the moment. I would expect only 2.2.0 to receive fixes, since 1.9.3 will be deprecated shortly.
CVE-2014-3916 https://bugs.ruby-lang.org/issues/9709 This is fixed in the 2.0, 2.1, and 2.2 series. 2.0.0_p598, 2.1.5, and 2.2.0 in tree are all fixed. ruby-1.9.3_p551 is still vulnerable but will be deprecated by upstream shortly.
ruby 1.9 is now masked for removal so we no longer have any vulnerable versions in the tree.
GLSA Vote: No