Debian Security Advisory
DSA-3157-1 ruby1.9.1 -- security update
- Date Reported:
- 09 Feb 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-4975, CVE-2014-8080, CVE-2014-8090.
- More information:
Multiple vulnerabilities were discovered in the interpreter for the Ruby language:
The encodes() function in pack.c had an off-by-one error that could lead to a stack-based buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution.
The REXML parser could be coerced into allocating large string objects that could consume all available memory on the system. This could allow remote attackers to cause a denial of service (crash).
For the stable distribution (wheezy), these problems have been fixed in version 188.8.131.52-8.1+deb7u3.
For the upcoming stable distribution (jessie), these problems have been fixed in version 2.1.5-1 of the ruby2.1 source package.
For the unstable distribution (sid), these problems have been fixed in version 2.1.5-1 of the ruby2.1 source package.
We recommend that you upgrade your ruby1.9.1 packages.