USN-691-1: Ruby vulnerability

12-16-2008

Registered User

26,240, 27

Join Date: Sep 2000

Last Activity: 1 August 2008, 3:09 PM EDT

Posts: 26,240

Thanks Given: 0

Thanked 27 Times in 26 Posts

USN-691-1: Ruby vulnerability

Referenced CVEs:
CVE-2008-3443, CVE-2008-3790

Description:
===========================================================Ubuntu Security Notice USN-691-1 December 16, 2008ruby1.9 vulnerabilityCVE-2008-3443, CVE-2008-3790===========================================================A security issue affects the following Ubuntu releases:Ubuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 8.10: ruby1.9 1.9.0.2-7ubuntu1.1In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:Laurent Gaffie discovered that Ruby did not properly check for memoryallocation failures. If a user or automated system were tricked intorunning a malicious script, an attacker could cause a denial ofservice. (CVE-2008-3443)This update also fixes a regression in the upstream patch previouslyapplied to fix CVE-2008-3790. The regression would cause parsing ofsome XML documents to fail.

More...

Linux Bot

View Public Profile for Linux Bot

Find all posts by Linux Bot

ERB(1) Ruby Programmers Reference Guide ERB(1) NAME
erb -- Ruby Templating SYNOPSIS
erb [--version] [-UPdnvx] [-E ext[:int]] [-S level] [-T mode] [-r library] [--] [file ...] DESCRIPTION
erb is a command line front-end for ERB library, which is an implementation of eRuby. ERB provides an easy to use but powerful templating system for Ruby. Using ERB, actual Ruby code can be added to any plain text document for the purposes of generating document information details and/or flow control. erb is a part of Ruby. OPTIONS
--version Prints the version of erb. -E external[:internal] --encoding external[:internal] Specifies the default value(s) for external encodings and internal encoding. Values should be separated with colon (:). You can omit the one for internal encodings, then the value (Encoding.default_internal) will be nil. -P Evaluates lines starting with % as Ruby code and removes the tailing EOLs. -S level Specifies the safe level in which eRuby script will run. -T mode Specifies trim mode (default 0). mode can be one of 0 EOL remains after the embedded ruby script is evaluated. 1 EOL is removed if the line ends with %>. 2 EOL is removed if the line starts with <% and ends with %>. - EOL is removed if the line ends with -%>. And leading whitespaces are removed if the erb directive starts with <%-. -U can be one of Sets the default value for internal encodings (Encoding.default_internal) to UTF-8. -d --debug Turns on debug mode. $DEBUG will be set to true. -h --help Prints a summary of the options. -n Used with -x. Prepends the line number to each line in the output. -v Enables verbose mode. $VERBOSE will be set to true. -x Converts the eRuby script into Ruby script and prints it without line numbers. EXAMPLES
Here is an eRuby script <?xml version="1.0" ?> <% require 'prime' -%> <erb-example> <calc><%= 1+1 %></calc> <var><%= __FILE__ %></var> <library><%= Prime.each(10).to_a.join(", ") %></library> </erb-example> Command % erb -T - example.erb prints <?xml version="1.0" ?> <erb-example> <calc>2</calc> <var>example.erb</var> <library>2, 3, 5, 7</library> </erb-example> SEE ALSO
ruby(1). And see ri(1) documentation for ERB class. REPORTING BUGS
Security vulnerabilities should be reported via an email to <security@ruby-lang.org>. Reported problems will be published after being fixed. And you can report other bugs and feature requests via the Ruby Issue Tracking System (http://bugs.ruby-lang.org). Do not report security vulnerabilities via the system because it publishes the vulnerabilities immediately. AUTHORS
Written by Masatoshi SEKI. UNIX
November 7, 2012 UNIX

Security Advisories (RSS)

USN-691-1: Ruby vulnerability

LEARN ABOUT OSX

erb