Debian Security Advisory
DLA-200-1 ruby1.9.1 -- LTS security update
- Date Reported:
- 15 Apr 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-4975, CVE-2014-8080, CVE-2014-8090.
- More information:
The encodes() function in pack.c had an off-by-one error that could lead to a stack-based buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution.
The REXML parser could be coerced into allocating large string objects that could consume all available memory on the system. This could allow remote attackers to cause a denial of service (crash).