LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Red Hat alert RHSA-2004:441-01 (ruby)



From:
    	      bugzilla@redhat.com


To:
    	      enterprise-watch-list@redhat.com


Subject:
    	      [RHSA-2004:441-01] Updated ruby package fixes security flaw


Date:
    	      Thu, 30 Sep 2004 10:53 -0400



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated ruby package fixes security flaw
Advisory ID:       RHSA-2004:441-01
Issue date:        2004-09-30
Updated on:        2004-09-30
Product:           Red Hat Enterprise Linux
Keywords:          file permission
CVE Names:         CAN-2004-0755
- ---------------------------------------------------------------------

1. Summary:

An updated ruby package that fixes insecure file permissions for CGI session
files is now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

Ruby is an interpreted scripting language for object-oriented programming.

Andres Salomon reported an insecure file permissions flaw in the CGI
session management of Ruby.  FileStore created world readable files that
could allow a malicious local user the ability to read CGI session data. 
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0755 to this issue.

Users are advised to upgrade to this erratum package, which contains a
backported patch to CGI::Session FileStore.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

130065 - CAN-2004-0755 ruby insecure file permissions

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/rub...
eb97376e716aa09d718d5afc0f4a0020  ruby-1.6.4-2.AS21.0.src.rpm

i386:
8570dca43ce0243d098a667d77f08490  irb-1.6.4-2.AS21.0.i386.rpm
ec1d1fe2f3f0ebae66342127c5a48e19  ruby-1.6.4-2.AS21.0.i386.rpm
b318516e9af9320a3638d496754c3f3e  ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6  ruby-docs-1.6.4-2.AS21.0.i386.rpm
dd229e6ba40dee0ddd9f7072bd24780b  ruby-libs-1.6.4-2.AS21.0.i386.rpm
b7b059fa23ba437057ad66125201407e  ruby-tcltk-1.6.4-2.AS21.0.i386.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/rub...
eb97376e716aa09d718d5afc0f4a0020  ruby-1.6.4-2.AS21.0.src.rpm

i386:
8570dca43ce0243d098a667d77f08490  irb-1.6.4-2.AS21.0.i386.rpm
ec1d1fe2f3f0ebae66342127c5a48e19  ruby-1.6.4-2.AS21.0.i386.rpm
b318516e9af9320a3638d496754c3f3e  ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6  ruby-docs-1.6.4-2.AS21.0.i386.rpm
dd229e6ba40dee0ddd9f7072bd24780b  ruby-libs-1.6.4-2.AS21.0.i386.rpm
b7b059fa23ba437057ad66125201407e  ruby-tcltk-1.6.4-2.AS21.0.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/rub...
eb97376e716aa09d718d5afc0f4a0020  ruby-1.6.4-2.AS21.0.src.rpm

i386:
8570dca43ce0243d098a667d77f08490  irb-1.6.4-2.AS21.0.i386.rpm
ec1d1fe2f3f0ebae66342127c5a48e19  ruby-1.6.4-2.AS21.0.i386.rpm
b318516e9af9320a3638d496754c3f3e  ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6  ruby-docs-1.6.4-2.AS21.0.i386.rpm
dd229e6ba40dee0ddd9f7072bd24780b  ruby-libs-1.6.4-2.AS21.0.i386.rpm
b7b059fa23ba437057ad66125201407e  ruby-tcltk-1.6.4-2.AS21.0.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/ruby-...
4a005a302e389f88e0059a04ffe1c301  ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3  ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d  ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e  ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993  ruby-mode-1.6.8-9.EL3.2.i386.rpm

ia64:
54124222ea6990ebae5aba4355d9ac70  ruby-1.6.8-9.EL3.2.ia64.rpm
3118ec318e2ff6065e4e598ee07374e3  ruby-devel-1.6.8-9.EL3.2.ia64.rpm
bc523ead60e9bd104cf55373a9ad3b8c  ruby-libs-1.6.8-9.EL3.2.ia64.rpm
f5c7ade5502b67d1a35c76223de7663c  ruby-mode-1.6.8-9.EL3.2.ia64.rpm

ppc:
e111badd02691f2d3af1228cfd1305ad  ruby-1.6.8-9.EL3.2.ppc.rpm
71f4002652015dc1394d1a0707dac921  ruby-devel-1.6.8-9.EL3.2.ppc.rpm
2834716a178d5c22b2a0bdc3c18e4569  ruby-libs-1.6.8-9.EL3.2.ppc.rpm
c722c0ce315e1e5a4229e94b1518ba30  ruby-mode-1.6.8-9.EL3.2.ppc.rpm

s390:
ba3145afb52bc659a5efcc0452a55ff3  ruby-1.6.8-9.EL3.2.s390.rpm
e52eb4855a8501f0c2fccf2b1e3524aa  ruby-devel-1.6.8-9.EL3.2.s390.rpm
6b18d38bd6d62c84d757f229845b6079  ruby-libs-1.6.8-9.EL3.2.s390.rpm
0cf38f2a6c42ceb80a674bcc9ffa557d  ruby-mode-1.6.8-9.EL3.2.s390.rpm

s390x:
7292fe703498f5ee33a20d69f7ad6cd1  ruby-1.6.8-9.EL3.2.s390x.rpm
e1ff142228b28536b4a3977db8d430a7  ruby-devel-1.6.8-9.EL3.2.s390x.rpm
c1849a6c9570941144914d7d518d71e8  ruby-libs-1.6.8-9.EL3.2.s390x.rpm
fd9f25954b2d1b87d521848a6bf2501b  ruby-mode-1.6.8-9.EL3.2.s390x.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6  ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a  ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d  ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1  ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/...
4a005a302e389f88e0059a04ffe1c301  ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3  ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d  ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e  ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993  ruby-mode-1.6.8-9.EL3.2.i386.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6  ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a  ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d  ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1  ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/ruby-...
4a005a302e389f88e0059a04ffe1c301  ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3  ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d  ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e  ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993  ruby-mode-1.6.8-9.EL3.2.i386.rpm

ia64:
54124222ea6990ebae5aba4355d9ac70  ruby-1.6.8-9.EL3.2.ia64.rpm
3118ec318e2ff6065e4e598ee07374e3  ruby-devel-1.6.8-9.EL3.2.ia64.rpm
bc523ead60e9bd104cf55373a9ad3b8c  ruby-libs-1.6.8-9.EL3.2.ia64.rpm
f5c7ade5502b67d1a35c76223de7663c  ruby-mode-1.6.8-9.EL3.2.ia64.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6  ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a  ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d  ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1  ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/ruby-...
4a005a302e389f88e0059a04ffe1c301  ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3  ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d  ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e  ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993  ruby-mode-1.6.8-9.EL3.2.i386.rpm

ia64:
54124222ea6990ebae5aba4355d9ac70  ruby-1.6.8-9.EL3.2.ia64.rpm
3118ec318e2ff6065e4e598ee07374e3  ruby-devel-1.6.8-9.EL3.2.ia64.rpm
bc523ead60e9bd104cf55373a9ad3b8c  ruby-libs-1.6.8-9.EL3.2.ia64.rpm
f5c7ade5502b67d1a35c76223de7663c  ruby-mode-1.6.8-9.EL3.2.ia64.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6  ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a  ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d  ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1  ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key.html#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBXB3gXlSAg2UNWIIRAkXLAKChOubcTfVhoSGLL/DRgUQbMxbD2wCfRlBD
foKv94hXR1OqHdgnMd45cGE=
=mE/N
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds