Synopsis:          Moderate: ruby security update
Advisory ID:       SLSA-2014:1912-1
Issue Date:        2014-11-26
CVE Numbers:       CVE-2014-4975
                   CVE-2014-8080
                   CVE-2014-8090
--

Multiple denial of service flaws were found in the way the Ruby REXML XML
parser performed expansion of parameter entities. A specially crafted XML
document could cause REXML to use an excessive amount of CPU and memory.
(CVE-2014-8080, CVE-2014-8090)

A stack-based buffer overflow was found in the implementation of the Ruby
Array pack() method. When performing base64 encoding, a single byte could
be written past the end of the buffer, possibly causing Ruby to crash.
(CVE-2014-4975)

All running instances of Ruby need to be restarted for this update to take
effect.
--

SL7
  x86_64
    ruby-2.0.0.353-22.el7_0.x86_64.rpm
    ruby-debuginfo-2.0.0.353-22.el7_0.i686.rpm
    ruby-debuginfo-2.0.0.353-22.el7_0.x86_64.rpm
    ruby-libs-2.0.0.353-22.el7_0.i686.rpm
    ruby-libs-2.0.0.353-22.el7_0.x86_64.rpm
    rubygem-bigdecimal-1.2.0-22.el7_0.x86_64.rpm
    rubygem-io-console-0.4.2-22.el7_0.x86_64.rpm
    rubygem-json-1.7.7-22.el7_0.x86_64.rpm
    rubygem-psych-2.0.0-22.el7_0.x86_64.rpm
    ruby-devel-2.0.0.353-22.el7_0.x86_64.rpm
    ruby-tcltk-2.0.0.353-22.el7_0.x86_64.rpm
  noarch
    ruby-irb-2.0.0.353-22.el7_0.noarch.rpm
    rubygem-rdoc-4.0.0-22.el7_0.noarch.rpm
    rubygems-2.0.14-22.el7_0.noarch.rpm
    ruby-doc-2.0.0.353-22.el7_0.noarch.rpm
    rubygem-minitest-4.3.2-22.el7_0.noarch.rpm
    rubygem-rake-0.9.6-22.el7_0.noarch.rpm
    rubygems-devel-2.0.14-22.el7_0.noarch.rpm

- Scientific Linux Development Team