[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 235-1] ruby1.9.1 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : ruby1.9.1
Version        : 1.9.2.0-2+deb6u4
CVE ID         : CVE-2011-0188 CVE-2011-2705 CVE-2012-4522 CVE-2013-0256
                 CVE-2013-2065 CVE-2015-1855

CVE-2011-0188
    The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
    Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7
    and other platforms, does not properly allocate memory, which allows
    context-dependent attackers to execute arbitrary code or cause a
    denial of service (application crash) via vectors involving creation
    of a large BigDecimal value within a 64-bit process, related to an
    "integer truncation issue."

CVE-2011-2705
    use upstream SVN r32050 to modify PRNG state to prevent random number
    sequence repeatation at forked child process which has same pid.
    Reported by Eric Wong.

CVE-2012-4522
    The rb_get_path_check function in file.c in Ruby 1.9.3 before
    patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent
    attackers to create files in unexpected locations or with unexpected
    names via a NUL byte in a file path.

CVE-2013-0256
    darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before
    4.0.0.preview2.1, as used in Ruby, does not properly generate
    documents, which allows remote attackers to conduct cross-site
    scripting (XSS) attacks via a crafted URL.

CVE-2013-2065
    (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426,
    and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for
    native functions, which allows context-dependent attackers to bypass
    intended $SAFE level restrictions.

CVE-2015-1855
    OpenSSL extension hostname matching implementation violates RFC 6125

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJVaiFbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH2V0P/jCIixBnFNxdNcwgq4YcLcJD
FjclvEZJE1dRzYVaIZ7dtUkK/HrcQynoSGPHyrEJXrWjDbeiZMi1SPhFNTeT2kR3
9a2oId2jO0ZamYJPQ4/EpUBsGIGoRMYit0ip36KkO/x4kfqKRD+2InjrvoaudBJr
Hq/rtZNxRPAhDoGd1L3GgqWUPXdLX7pzRD3wrF7xN2q+qbWKpjbdmR/r2eenEcfr
ouiDq1fwIyr7cY9+9/muO72qgsiKfFq8U+eoMT7fZiQHsZLDxuv19L+08m5Lg+Qg
yTNleQVdTiiyHyAe4JH27Sv4sMsbi5T4+paVdlxSZbuQVGxWYIuX2YWSoNlPsYzg
b8wQ2NPO8MJkl4UfDFPIK3QylvaffhyFirEwUizrkvRPVujVwRvCmE+U3aMVGYiH
iaivhhHNE+QeSLogrFJm4JchYtHdUjgu4gIBkVs7nPdIwo1nbUT4dk9mMtxosIW5
rKmWijlYP8A0Rhpgd2Y9ORvpgt1IKqH+tZTxX2FO11M1rOvQiCkU4xokrjLIuwLO
V3NLpRnW4KqJzLuKvud5Gc2U6bg3qLTJtw9xa1XiUCJAngBoSdL40OdarVywO4Ou
NUCbBdSIG2hxTo2bU0yfT7mkTZS8kYDX8yS13vGs58Co0nmMTwiQ7yL4yBeR3pas
QU3kWpjLjBGyaOHn5Zqu
=Zoj9
-----END PGP SIGNATURE-----


Reply to: