Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-88-1 ruby1.8

Debian Security Advisory

DLA-88-1 ruby1.8 -- LTS security update

Date Reported:

21 Nov 2014

Affected Packages:

ruby1.8

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2011-0188, CVE-2011-2686, CVE-2011-2705, CVE-2011-4815, CVE-2014-8080, CVE-2014-8090.

More information:

This update fixes multiple local and remote denial of service and remote code execute problems:

• CVE-2011-0188

  Properly allocate memory, to prevent arbitrary code execution or application crash. Reported by Drew Yao.

• CVE-2011-2686

  Reinitialize the random seed when forking to prevent CVE-2003-0900 like situations.

• CVE-2011-2705

  Modify PRNG state to prevent random number sequence repeatation at forked child process which has same pid. Reported by Eric Wong.

• CVE-2011-4815

  Fix a problem with predictable hash collisions resulting in denial of service (CPU consumption) attacks. Reported by Alexander Klink and Julian Waelde.

• CVE-2014-8080

  Fix REXML parser to prevent memory consumption denial of service via crafted XML documents. Reported by Willis Vandevanter.

• CVE-2014-8090

  Add REXML::Document#document to complement the fix for CVE-2014-8080. Reported by Tomas Hoger.

For Debian 6 Squeeze, these issues have been fixed in ruby1.8 version 1.8.7.302-2squeeze3