LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

June 2011

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA June 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Moderate: ruby on SL6.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Wed, 29 Jun 2011 09:25:01 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (58 lines)

Synopsis:    Moderate: ruby security update
Issue Date:  2011-06-28
CVE Numbers: CVE-2011-1004
              CVE-2011-1005
              CVE-2011-0188


Ruby is an extensible, interpreted, object-oriented, scripting language. 
It has features to process text files and to do system management tasks.

A flaw was found in the way large amounts of memory were allocated on
64-bit systems when using the BigDecimal class. A context-dependent
attacker could use this flaw to cause memory corruption, causing a Ruby
application that uses the BigDecimal class to crash or, possibly, 
execute arbitrary code. This issue did not affect 32-bit systems. 
(CVE-2011-0188)

A race condition flaw was found in the remove system entries method in 
the FileUtils module. If a local user ran a Ruby script that uses this 
method, a local attacker could use this flaw to delete arbitrary files 
and directories accessible to that user via a symbolic link attack.
(CVE-2011-1004)

A flaw was found in the method for translating an exception message into 
a string in the Exception class. A remote attacker could use this flaw 
to bypass safe level 4 restrictions, allowing untrusted (tainted) code 
to modify arbitrary, trusted (untainted) strings, which safe level 4 
restrictions would otherwise prevent. (CVE-2011-1005)

All Ruby users should upgrade to these updated packages, which contain
backported patches to resolve these issues.

SL6:
   i386
      ruby-1.8.7.299-7.el6_1.1.i686.rpm
      ruby-tcltk-1.8.7.299-7.el6_1.1.i686.rpm
      ruby-static-1.8.7.299-7.el6_1.1.i686.rpm
      ruby-ri-1.8.7.299-7.el6_1.1.i686.rpm
      ruby-rdoc-1.8.7.299-7.el6_1.1.i686.rpm
      ruby-libs-1.8.7.299-7.el6_1.1.i686.rpm
      ruby-irb-1.8.7.299-7.el6_1.1.i686.rpm
      ruby-docs-1.8.7.299-7.el6_1.1.i686.rpm
      ruby-devel-1.8.7.299-7.el6_1.1.i686.rpm
   x86_64
      ruby-libs-1.8.7.299-7.el6_1.1.i686.rpm
      ruby-libs-1.8.7.299-7.el6_1.1.x86_64.rpm
      ruby-rdoc-1.8.7.299-7.el6_1.1.x86_64.rpm
      ruby-ri-1.8.7.299-7.el6_1.1.x86_64.rpm
      ruby-static-1.8.7.299-7.el6_1.1.x86_64.rpm
      ruby-irb-1.8.7.299-7.el6_1.1.x86_64.rpm
      ruby-docs-1.8.7.299-7.el6_1.1.x86_64.rpm
      ruby-devel-1.8.7.299-7.el6_1.1.x86_64.rpm
      ruby-devel-1.8.7.299-7.el6_1.1.i686.rpm
      ruby-1.8.7.299-7.el6_1.1.x86_64.rpm
      ruby-tcltk-1.8.7.299-7.el6_1.1.x86_64.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV