Subject: | |
From: | |
Reply To: | |
Date: | Wed, 29 Jun 2011 14:44:23 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Synopsis: Moderate: ruby security update
Issue Date: 2011-06-28
CVE Numbers: CVE-2009-4492
CVE-2010-0541
CVE-2011-1004
CVE-2011-1005
CVE-2011-0188
Ruby is an extensible, interpreted, object-oriented, scripting language.
It has features to process text files and to do system management tasks.
A flaw was found in the way large amounts of memory were allocated on
64-bit systems when using the BigDecimal class. A context-dependent
attacker could use this flaw to cause memory corruption, causing a Ruby
application that uses the BigDecimal class to crash or, possibly,
execute arbitrary code. This issue did not affect 32-bit systems.
(CVE-2011-0188)
A race condition flaw was found in the remove system entries method in
the FileUtils module. If a local user ran a Ruby script that uses this
method, a local attacker could use this flaw to delete arbitrary files
and directories accessible to that user via a symbolic link attack.
(CVE-2011-1004)
It was found that WEBrick (the Ruby HTTP server toolkit) did not filter
terminal escape sequences from its log files. A remote attacker could
use specially-crafted HTTP requests to inject terminal escape sequences
into the WEBrick log files. If a victim viewed the log files with a
terminal emulator, it could result in control characters being executed
with the privileges of that user. (CVE-2009-4492)
A cross-site scripting (XSS) flaw was found in the way WEBrick displayed
error pages. A remote attacker could use this flaw to perform a
cross-site scripting attack against victims by tricking them into
visiting a specially-crafted URL. (CVE-2010-0541)
A flaw was found in the method for translating an exception message into
a string in the Exception class. A remote attacker could use this flaw
to bypass safe level 4 restrictions, allowing untrusted (tainted) code
to modify arbitrary, trusted (untainted) strings, which safe level 4
restrictions would otherwise prevent. (CVE-2011-1005)
All Ruby users should upgrade to these updated packages, which contain
backported patches to resolve these issues.
SL5:
i386
ruby-1.8.5-19.el5_6.1.i386.rpm
ruby-tcltk-1.8.5-19.el5_6.1.i386.rpm
ruby-ri-1.8.5-19.el5_6.1.i386.rpm
ruby-rdoc-1.8.5-19.el5_6.1.i386.rpm
ruby-mode-1.8.5-19.el5_6.1.i386.rpm
ruby-libs-1.8.5-19.el5_6.1.i386.rpm
ruby-irb-1.8.5-19.el5_6.1.i386.rpm
ruby-docs-1.8.5-19.el5_6.1.i386.rpm
ruby-devel-1.8.5-19.el5_6.1.i386.rpm
x86_64
ruby-libs-1.8.5-19.el5_6.1.i386.rpm
ruby-libs-1.8.5-19.el5_6.1.x86_64.rpm
ruby-mode-1.8.5-19.el5_6.1.x86_64.rpm
ruby-rdoc-1.8.5-19.el5_6.1.x86_64.rpm
ruby-ri-1.8.5-19.el5_6.1.x86_64.rpm
ruby-irb-1.8.5-19.el5_6.1.x86_64.rpm
ruby-docs-1.8.5-19.el5_6.1.x86_64.rpm
ruby-devel-1.8.5-19.el5_6.1.x86_64.rpm
ruby-devel-1.8.5-19.el5_6.1.i386.rpm
ruby-1.8.5-19.el5_6.1.x86_64.rpm
ruby-tcltk-1.8.5-19.el5_6.1.x86_64.rpm
- Scientific Linux Development Team
|
|
|