lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1QOVmf-0007FH-6h@titan.mandriva.com>
Date: Mon, 23 May 2011 16:07:01 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2011:097 ] ruby

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:097
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ruby
 Date    : May 23, 2011
 Affected: 2009.0, 2010.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities have been identified and fixed in ruby:
 
 Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server
 in Ruby allows remote attackers to inject arbitrary web script or HTML
 via a crafted URI that triggers a UTF-7 error page (CVE-2010-0541).
 
 The FileUtils.remove_entry_secure method in Ruby allows local users
 to delete arbitrary files via a symlink attack (CVE-2011-1004).
 
 The safe-level feature in Ruby allows context-dependent attackers
 to modify strings via the Exception#to_s method, as demonstrated by
 changing an intended pathname (CVE-2011-1005).
 
 The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
 Ruby does not properly allocate memory, which allows context-dependent
 attackers to execute arbitrary code or cause a denial of service
 (application crash) via vectors involving creation of a large
 BigDecimal value within a 64-bit process, related to an integer
 truncation issue. (CVE-2011-0188).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0541
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1004
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1005
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 c066384f71562d23b04e4f37e06cd167  2009.0/i586/ruby-1.8.7-7p72.4mdv2009.0.i586.rpm
 663d190c3a9040a5e1f63d3c3ff48ba1  2009.0/i586/ruby-devel-1.8.7-7p72.4mdv2009.0.i586.rpm
 beb5b53b8d66028329b8e1884aa18c90  2009.0/i586/ruby-doc-1.8.7-7p72.4mdv2009.0.i586.rpm
 38bea5030db5e2d25f6348ef15150486  2009.0/i586/ruby-tk-1.8.7-7p72.4mdv2009.0.i586.rpm 
 fbe12ae1b2026227568007c26c3bc0c4  2009.0/SRPMS/ruby-1.8.7-7p72.4mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 68a7d27517f1848f660418aa584eb3da  2009.0/x86_64/ruby-1.8.7-7p72.4mdv2009.0.x86_64.rpm
 19749daa6bf45dc43daa4561f107134c  2009.0/x86_64/ruby-devel-1.8.7-7p72.4mdv2009.0.x86_64.rpm
 68fb72ae12ba5ceadcc22434e13b4db1  2009.0/x86_64/ruby-doc-1.8.7-7p72.4mdv2009.0.x86_64.rpm
 9f0f091ffb3f1fc1418f765b974d93da  2009.0/x86_64/ruby-tk-1.8.7-7p72.4mdv2009.0.x86_64.rpm 
 fbe12ae1b2026227568007c26c3bc0c4  2009.0/SRPMS/ruby-1.8.7-7p72.4mdv2009.0.src.rpm

 Mandriva Linux 2010.1:
 ddeaf58e58815fe6cc74655d622543af  2010.1/i586/ruby-1.8.7.p249-4.1mdv2010.2.i586.rpm
 6f18aaa77d93fcddbb98e12e5e829b2b  2010.1/i586/ruby-devel-1.8.7.p249-4.1mdv2010.2.i586.rpm
 5f23410b06cb0c11483ad0944511521c  2010.1/i586/ruby-doc-1.8.7.p249-4.1mdv2010.2.i586.rpm
 8cfeb511b56f105eb9c4f76be8255e65  2010.1/i586/ruby-tk-1.8.7.p249-4.1mdv2010.2.i586.rpm 
 26ba24fef0f0c25c1906479c4711e095  2010.1/SRPMS/ruby-1.8.7.p249-4.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 9ce41813fa1b4c75c2427fd605127e0b  2010.1/x86_64/ruby-1.8.7.p249-4.1mdv2010.2.x86_64.rpm
 c20daba0703471c7a6131410ecad9ad6  2010.1/x86_64/ruby-devel-1.8.7.p249-4.1mdv2010.2.x86_64.rpm
 1d87d641bb55721b342a8c1d94483146  2010.1/x86_64/ruby-doc-1.8.7.p249-4.1mdv2010.2.x86_64.rpm
 307294ebb3e8fd4b4c56553c69f5c4d2  2010.1/x86_64/ruby-tk-1.8.7.p249-4.1mdv2010.2.x86_64.rpm 
 26ba24fef0f0c25c1906479c4711e095  2010.1/SRPMS/ruby-1.8.7.p249-4.1mdv2010.2.src.rpm

 Mandriva Enterprise Server 5:
 d07c49b37323079332997e866458ae9d  mes5/i586/ruby-1.8.7-7p72.4mdvmes5.2.i586.rpm
 5f7223ff9adf5efabaea360e5b18aadf  mes5/i586/ruby-devel-1.8.7-7p72.4mdvmes5.2.i586.rpm
 43901d6c806fa7233a6f5523e8f50390  mes5/i586/ruby-doc-1.8.7-7p72.4mdvmes5.2.i586.rpm
 350d1f6430aecfc3f2273faa2ccbb780  mes5/i586/ruby-tk-1.8.7-7p72.4mdvmes5.2.i586.rpm 
 45603b65b4f80c8e1858bbc84daf4494  mes5/SRPMS/ruby-1.8.7-7p72.4mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 c6c7bd10892509e91ce007670cfaa22f  mes5/x86_64/ruby-1.8.7-7p72.4mdvmes5.2.x86_64.rpm
 3bb3451b8ed9ab86b10ef43a090d362e  mes5/x86_64/ruby-devel-1.8.7-7p72.4mdvmes5.2.x86_64.rpm
 dff5787e4172ea0941033b596293c08f  mes5/x86_64/ruby-doc-1.8.7-7p72.4mdvmes5.2.x86_64.rpm
 2c8951924ef6f80d1ca887f82f8deb47  mes5/x86_64/ruby-tk-1.8.7-7p72.4mdvmes5.2.x86_64.rpm 
 45603b65b4f80c8e1858bbc84daf4494  mes5/SRPMS/ruby-1.8.7-7p72.4mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFN2jqhmqjQ0CJFipgRAlnKAKDcf6I3beHFSSrX86ob/PzT+NwtxgCeNgsq
uMw3t7u8fkmaD51bIO3CaIw=
=yXr+
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ