Debian Security Advisory
DLA-88-1 ruby1.8 -- LTS security update
- Date Reported:
- 21 Nov 2014
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-0188, CVE-2011-2686, CVE-2011-2705, CVE-2011-4815, CVE-2014-8080, CVE-2014-8090.
- More information:
This update fixes multiple local and remote denial of service and remote code execute problems:
Properly allocate memory, to prevent arbitrary code execution or application crash. Reported by Drew Yao.
Reinitialize the random seed when forking to prevent CVE-2003-0900 like situations.
Modify PRNG state to prevent random number sequence repeatation at forked child process which has same pid. Reported by Eric Wong.
Fix a problem with predictable hash collisions resulting in denial of service (CPU consumption) attacks. Reported by Alexander Klink and Julian Waelde.
Fix REXML parser to prevent memory consumption denial of service via crafted XML documents. Reported by Willis Vandevanter.
Add REXML::Document#document to complement the fix for CVE-2014-8080. Reported by Tomas Hoger.
For Debian 6
Squeeze, these issues have been fixed in ruby1.8 version 184.108.40.2062-2squeeze3