Pardus alert 2010-19 (ruby)

From:
    	     
 
Eren Turkay <eren@pardus.org.tr> 
To:
    	     
 
pardus-security@pardus.org.tr 
Subject:
    	     
 
[Pardus-security] [PLSA 2010-19] [UPDATE] Ruby:Terminal Escape
	Sequences Weakness 
Date:
    	     
 
Thu,  4 Feb 2010 16:01:42 +0200 (EET)
Message-ID:
    	     
 
<20100204140142.B1FB6A7AB3B@lider.pardus.org.tr>
Archive-link:
    	     
 
Article, Thread
              
------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-19            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-02-04
  Severity: 2
      Type: Remote
------------------------------------------------------------------------

Summary
=======

A weakness has been  reported  in  Ruby,  which  can  be  exploited  by 
malicious people to manipulate certain data. [UPDATE] The issue is fixed
in Pardus 2008 


Description
===========

WEBrick 1.3.1 in Ruby writes data to  a  log  file  without  sanitizing 
non-printable characters, which might allow remote attackers to modify a
window's title, or possibly execute  arbitrary  commands  or  overwrite 
files, via an HTTP request containing an escape sequence for a terminal 
emulator. 


Affected packages:

  Pardus 2009:
    ruby, all before 1.8.7_p249-22-5
  Pardus 2008:
    ruby, all before 1.8.7_p249-20-8


Resolution
==========

There are update(s) for ruby. You can update them via Package Manager or
with a single command from console: 

  Pardus 2008:
    pisi up ruby

  Pardus 2009:
    pisi up ruby


References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=12138
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4492
  * http://www.ruby-lang.org/en/news/2010/01/10/webrick-escap...
  * http://www.securityfocus.com/bid/37710

------------------------------------------------------------------------

_______________________________________________
Pardus-security mailing list
Pardus-security@pardus.org.tr
http://liste.pardus.org.tr/mailman/listinfo/pardus-security