Referenced CVEs:
CVE-2009-1904, CVE-2009-4124, CVE-2009-4492
Description:
===========================================================Ubuntu Security Notice USN-900-1 February 16, 2010ruby1.9 vulnerabilitiesCVE-2009-1904, CVE-2009-4124, CVE-2009-4492===========================================================A security issue affects the following Ubuntu releases:Ubuntu 8.10Ubuntu 9.04Ubuntu 9.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 8.10: libruby1.9 1.9.0.2-7ubuntu1.3 ruby1.9 1.9.0.2-7ubuntu1.3Ubuntu 9.04: libruby1.9 1.9.0.2-9ubuntu1.2 ruby1.9 1.9.0.2-9ubuntu1.2Ubuntu 9.10: libruby1.9 1.9.0.5-1ubuntu1.2 ruby1.9 1.9.0.5-1ubuntu1.2In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:Emmanouel Kellinis discovered that Ruby did not properly handle certainstring operations. An attacker could exploit this issue and possiblyexecute arbitrary code with application privileges. (CVE-2009-4124)Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered thatRuby did not properly sanitize data written to log files. An attacker couldinsert specially-crafted data into log files which could affect certainterminal emulators and cause arbitrary files to be overwritten, or evenpossibly execute arbitrary commands. (CVE-2009-4492)It was discovered that Ruby did not properly handle string arguments thatrepresent large numbers. An attacker could exploit this and cause a denialof service. This issue only affected Ubuntu 9.10. (CVE-2009-1904)
More...
