Debian Security Advisory
DLA-88-1 ruby1.8 -- LTS security update
- Date Reported:
- 21 Nov 2014
- Affected Packages:
- ruby1.8
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-0188, CVE-2011-2686, CVE-2011-2705, CVE-2011-4815, CVE-2014-8080, CVE-2014-8090.
- More information:
-
This update fixes multiple local and remote denial of service and remote code execute problems:
- CVE-2011-0188
Properly allocate memory, to prevent arbitrary code execution or application crash. Reported by Drew Yao.
- CVE-2011-2686
Reinitialize the random seed when forking to prevent CVE-2003-0900 like situations.
- CVE-2011-2705
Modify PRNG state to prevent random number sequence repeatation at forked child process which has same pid. Reported by Eric Wong.
- CVE-2011-4815
Fix a problem with predictable hash collisions resulting in denial of service (CPU consumption) attacks. Reported by Alexander Klink and Julian Waelde.
- CVE-2014-8080
Fix REXML parser to prevent memory consumption denial of service via crafted XML documents. Reported by Willis Vandevanter.
- CVE-2014-8090
Add REXML::Document#document to complement the fix for CVE-2014-8080. Reported by Tomas Hoger.
For Debian 6
Squeeze
, these issues have been fixed in ruby1.8 version 1.8.7.302-2squeeze3 - CVE-2011-0188