USN-651-1: Ruby vulnerabilities Post: 302245313

Sponsored Content

Special Forums Cybersecurity Security Advisories (RSS) USN-651-1: Ruby vulnerabilities Post 302245313 by Linux Bot on Thursday 9th of October 2008 10:30:04 PM

10-09-2008

Registered User

USN-651-1: Ruby vulnerabilities

Referenced CVEs:
CVE-2008-2376, CVE-2008-3443, CVE-2008-3655, CVE-2008-3656, CVE-2008-3657, CVE-2008-3790, CVE-2008-3905

Description:
===========================================================Ubuntu Security Notice USN-651-1 October 10, 2008ruby1.8 vulnerabilitiesCVE-2008-2376, CVE-2008-3443, CVE-2008-3655, CVE-2008-3656,CVE-2008-3657, CVE-2008-3790, CVE-2008-3905===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.04Ubuntu 7.10Ubuntu 8.04 LTSThis advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: libruby1.8 1.8.4-1ubuntu1.6 ruby1.8 1.8.4-1ubuntu1.6Ubuntu 7.04: libruby1.8 1.8.5-4ubuntu2.3 ruby1.8 1.8.5-4ubuntu2.3Ubuntu 7.10: libruby1.8 1.8.6.36-1ubuntu3.3 ruby1.8 1.8.6.36-1ubuntu3.3Ubuntu 8.04 LTS: libruby1.8 1.8.6.111-2ubuntu1.2 ruby1.8 1.8.6.111-2ubuntu1.2In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:Akira Tagoh discovered a vulnerability in Ruby which lead to an integeroverflow. If a user or automated system were tricked into running amalicious script, an attacker could cause a denial of service orpossibly execute arbitrary code with the privileges of the userinvoking the program. (CVE-2008-2376)Laurent Gaffie discovered that Ruby did not properly check for memoryallocation failures. If a user or automated system were tricked intorunning a malicious script, an attacker could cause a denial ofservice. (CVE-2008-3443)Keita Yamaguchi discovered several safe level vulnerabilities in Ruby.An attacker could use this to bypass intended access restrictions.(CVE-2008-3655)Keita Yamaguchi discovered that WEBrick in Ruby did not properlyvalidate paths ending with ".". A remote attacker could send a craftedHTTP request and cause a denial of service. (CVE-2008-3656)Keita Yamaguchi discovered that the dl module in Ruby did not checkthe taintness of inputs. An attacker could exploit this vulnerabilityto bypass safe levels and execute dangerous functions. (CVE-2008-3657)Luka Treiber and Mitja Kolsek discovered that REXML in Ruby did notalways use expansion limits when processing XML documents. If a user orautomated system were tricked into open a crafted XML file, an attackercould cause a denial of service via CPU consumption. (CVE-2008-3790)Jan Lieskovsky discovered several flaws in the name resolver of Ruby. Aremote attacker could exploit this to spoof DNS entries, which couldlead to misdirected traffic. This is a different vulnerability fromCVE-2008-1447. (CVE-2008-3790)

More...

Linux Bot

View Public Profile for Linux Bot

Find all posts by Linux Bot

LEARN ABOUT DEBIAN

ruby-switch

RUBY-SWITCH(1)															    RUBY-SWITCH(1)

NAME

       ruby-switch - switch between different Ruby interpreters

USAGE

       ruby-switch --list

       ruby-switch --check

       ruby-switch --set RUBYVERSION

       ruby-switch --auto

DESCRIPTION

       ruby-switch can be used to easily switch to different Ruby interpreters as the default system-wide interpreter for your Debian system.

       When run with --list, all supported Ruby interpreters are listed.

       When --check is passed, ruby-switch will check which Ruby interpreter is currently being used. If the settings are inconsistent -- e.g.
	 `ruby` is Ruby 1.8 and `gem` is using Ruby 1.9.1, ruby-switch will issue a big warning.

       When --set RUBYINTERPRETER is used ruby-switch will switch your system to the corresponding Ruby interpreter. This includes, for example,
       the default implementations for the following programs: ruby, gem, irb, erb, testrb, rdoc, ri.

       ruby-switch --set auto will make your system use the default Ruby interpreter currently suggested by Debian.

OPTIONS

       -h, --help
	   Displays the help and exits.

A NOTE ON RUBY 1.9.x
       Ruby uses two parallel versioning schemes: the `Ruby library compatibility version' (1.9.1 at the time of writing this), which is similar
       to a library SONAME, and the `Ruby version' (1.9.3 is about to be released at the time of writing).

       Ruby packages in Debian are named using the Ruby library compatibility version, which is sometimes confusing for users who do not follow
       Ruby development closely.

       ruby-switch also uses the Ruby library compatibility version, so specifying `ruby1.9.1' might give you Ruby with version 1.9.2, or with
       version 1.9.3, depending on the current Ruby version of the `ruby1.9.1' package.

COPYRIGHT AND AUTHORS

       Copyright (c) 2011, Antonio Terceiro <terceiro@debian.org>

       This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
       the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program.  If not, see <http://www.gnu.org/licenses/>.

								    2011-11-20							    RUBY-SWITCH(1)