LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

June 2011

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA June 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Moderate: ruby on SL4.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Wed, 29 Jun 2011 14:52:09 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

Synopsis:    Moderate: ruby security update
Issue Date:  2011-06-28
CVE Numbers: CVE-2009-4492
              CVE-2010-0541
              CVE-2011-1005
              CVE-2011-0188


Ruby is an extensible, interpreted, object-oriented, scripting language. 
It has features to process text files and to do system management tasks.

A flaw was found in the way large amounts of memory were allocated on
64-bit systems when using the BigDecimal class. A context-dependent
attacker could use this flaw to cause memory corruption, causing a Ruby
application that uses the BigDecimal class to crash or, possibly, 
execute arbitrary code. This issue did not affect 32-bit systems. 
(CVE-2011-0188)

It was found that WEBrick (the Ruby HTTP server toolkit) did not filter
terminal escape sequences from its log files. A remote attacker could 
use specially-crafted HTTP requests to inject terminal escape sequences 
into the WEBrick log files. If a victim viewed the log files with a 
terminal emulator, it could result in control characters being executed 
with the privileges of that user. (CVE-2009-4492)

A cross-site scripting (XSS) flaw was found in the way WEBrick displayed
error pages. A remote attacker could use this flaw to perform a 
cross-site scripting attack against victims by tricking them into 
visiting a specially-crafted URL. (CVE-2010-0541)

A flaw was found in the method for translating an exception message into 
a string in the Exception class. A remote attacker could use this flaw 
to bypass safe level 4 restrictions, allowing untrusted (tainted) code 
to modify arbitrary, trusted (untainted) strings, which safe level 4 
restrictions would otherwise prevent. (CVE-2011-1005)

All Ruby users should upgrade to these updated packages, which contain
backported patches to resolve these issues.

SL4:
   i386
      irb-1.8.1-16.el4.i386.rpm
      ruby-tcltk-1.8.1-16.el4.i386.rpm
      ruby-mode-1.8.1-16.el4.i386.rpm
      ruby-libs-1.8.1-16.el4.i386.rpm
      ruby-docs-1.8.1-16.el4.i386.rpm
      ruby-devel-1.8.1-16.el4.i386.rpm
      ruby-1.8.1-16.el4.i386.rpm
   x86_64
      ruby-mode-1.8.1-16.el4.x86_64.rpm
      ruby-libs-1.8.1-16.el4.x86_64.rpm
      ruby-libs-1.8.1-16.el4.i386.rpm
      ruby-docs-1.8.1-16.el4.x86_64.rpm
      ruby-devel-1.8.1-16.el4.x86_64.rpm
      ruby-1.8.1-16.el4.x86_64.rpm
      irb-1.8.1-16.el4.x86_64.rpm
      ruby-tcltk-1.8.1-16.el4.x86_64.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV