[SECURITY] [DLA 235-1] ruby1.9.1 security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : ruby1.9.1
Version : 1.9.2.0-2+deb6u4
CVE ID : CVE-2011-0188 CVE-2011-2705 CVE-2012-4522 CVE-2013-0256
CVE-2013-2065 CVE-2015-1855
CVE-2011-0188
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7
and other platforms, does not properly allocate memory, which allows
context-dependent attackers to execute arbitrary code or cause a
denial of service (application crash) via vectors involving creation
of a large BigDecimal value within a 64-bit process, related to an
"integer truncation issue."
CVE-2011-2705
use upstream SVN r32050 to modify PRNG state to prevent random number
sequence repeatation at forked child process which has same pid.
Reported by Eric Wong.
CVE-2012-4522
The rb_get_path_check function in file.c in Ruby 1.9.3 before
patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent
attackers to create files in unexpected locations or with unexpected
names via a NUL byte in a file path.
CVE-2013-0256
darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before
4.0.0.preview2.1, as used in Ruby, does not properly generate
documents, which allows remote attackers to conduct cross-site
scripting (XSS) attacks via a crafted URL.
CVE-2013-2065
(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426,
and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for
native functions, which allows context-dependent attackers to bypass
intended $SAFE level restrictions.
CVE-2015-1855
OpenSSL extension hostname matching implementation violates RFC 6125
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQJ8BAEBCgBmBQJVaiFbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH2V0P/jCIixBnFNxdNcwgq4YcLcJD
FjclvEZJE1dRzYVaIZ7dtUkK/HrcQynoSGPHyrEJXrWjDbeiZMi1SPhFNTeT2kR3
9a2oId2jO0ZamYJPQ4/EpUBsGIGoRMYit0ip36KkO/x4kfqKRD+2InjrvoaudBJr
Hq/rtZNxRPAhDoGd1L3GgqWUPXdLX7pzRD3wrF7xN2q+qbWKpjbdmR/r2eenEcfr
ouiDq1fwIyr7cY9+9/muO72qgsiKfFq8U+eoMT7fZiQHsZLDxuv19L+08m5Lg+Qg
yTNleQVdTiiyHyAe4JH27Sv4sMsbi5T4+paVdlxSZbuQVGxWYIuX2YWSoNlPsYzg
b8wQ2NPO8MJkl4UfDFPIK3QylvaffhyFirEwUizrkvRPVujVwRvCmE+U3aMVGYiH
iaivhhHNE+QeSLogrFJm4JchYtHdUjgu4gIBkVs7nPdIwo1nbUT4dk9mMtxosIW5
rKmWijlYP8A0Rhpgd2Y9ORvpgt1IKqH+tZTxX2FO11M1rOvQiCkU4xokrjLIuwLO
V3NLpRnW4KqJzLuKvud5Gc2U6bg3qLTJtw9xa1XiUCJAngBoSdL40OdarVywO4Ou
NUCbBdSIG2hxTo2bU0yfT7mkTZS8kYDX8yS13vGs58Co0nmMTwiQ7yL4yBeR3pas
QU3kWpjLjBGyaOHn5Zqu
=Zoj9
-----END PGP SIGNATURE-----
Reply to: