Debian Security Advisory

DLA-88-1 ruby1.8 -- LTS security update

Date Reported:
21 Nov 2014
Affected Packages:
ruby1.8
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2011-0188, CVE-2011-2686, CVE-2011-2705, CVE-2011-4815, CVE-2014-8080, CVE-2014-8090.
More information:

This update fixes multiple local and remote denial of service and remote code execute problems:

  • CVE-2011-0188

    Properly allocate memory, to prevent arbitrary code execution or application crash. Reported by Drew Yao.

  • CVE-2011-2686

    Reinitialize the random seed when forking to prevent CVE-2003-0900 like situations.

  • CVE-2011-2705

    Modify PRNG state to prevent random number sequence repeatation at forked child process which has same pid. Reported by Eric Wong.

  • CVE-2011-4815

    Fix a problem with predictable hash collisions resulting in denial of service (CPU consumption) attacks. Reported by Alexander Klink and Julian Waelde.

  • CVE-2014-8080

    Fix REXML parser to prevent memory consumption denial of service via crafted XML documents. Reported by Willis Vandevanter.

  • CVE-2014-8090

    Add REXML::Document#document to complement the fix for CVE-2014-8080. Reported by Tomas Hoger.

For Debian 6 Squeeze, these issues have been fixed in ruby1.8 version 1.8.7.302-2squeeze3