Synopsis: Moderate: ruby security update Issue Date: 2013-03-07 CVE Numbers: CVE-2012-4481 CVE-2013-1821 -- It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821) It was found that the SLSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481) The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat. -- SL6 x86_64 ruby-1.8.7.352-10.el6_4.x86_64.rpm ruby-debuginfo-1.8.7.352-10.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-10.el6_4.x86_64.rpm ruby-devel-1.8.7.352-10.el6_4.i686.rpm ruby-devel-1.8.7.352-10.el6_4.x86_64.rpm ruby-irb-1.8.7.352-10.el6_4.x86_64.rpm ruby-libs-1.8.7.352-10.el6_4.i686.rpm ruby-libs-1.8.7.352-10.el6_4.x86_64.rpm ruby-rdoc-1.8.7.352-10.el6_4.x86_64.rpm ruby-docs-1.8.7.352-10.el6_4.x86_64.rpm ruby-ri-1.8.7.352-10.el6_4.x86_64.rpm ruby-static-1.8.7.352-10.el6_4.x86_64.rpm ruby-tcltk-1.8.7.352-10.el6_4.x86_64.rpm i386 ruby-1.8.7.352-10.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-10.el6_4.i686.rpm ruby-devel-1.8.7.352-10.el6_4.i686.rpm ruby-irb-1.8.7.352-10.el6_4.i686.rpm ruby-libs-1.8.7.352-10.el6_4.i686.rpm ruby-rdoc-1.8.7.352-10.el6_4.i686.rpm ruby-docs-1.8.7.352-10.el6_4.i686.rpm ruby-ri-1.8.7.352-10.el6_4.i686.rpm ruby-static-1.8.7.352-10.el6_4.i686.rpm ruby-tcltk-1.8.7.352-10.el6_4.i686.rpm - Scientific Linux Development Team