Debian-LTS alert DLA-235-1 (ruby1.9.1)
| From: | Thorsten Alteholz <debian@alteholz.de> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 235-1] ruby1.9.1 security update | |
| Date: | Sat, 30 May 2015 22:45:15 +0200 (CEST) | |
| Message-ID: | <alpine.DEB.2.02.1505302241220.21417@jupiter.server.alteholz.net> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : ruby1.9.1 Version : 1.9.2.0-2+deb6u4 CVE ID : CVE-2011-0188 CVE-2011-2705 CVE-2012-4522 CVE-2013-0256 CVE-2013-2065 CVE-2015-1855 CVE-2011-0188 The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue." CVE-2011-2705 use upstream SVN r32050 to modify PRNG state to prevent random number sequence repeatation at forked child process which has same pid. Reported by Eric Wong. CVE-2012-4522 The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path. CVE-2013-0256 darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. CVE-2013-2065 (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions. CVE-2015-1855 OpenSSL extension hostname matching implementation violates RFC 6125 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJVaiFbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH2V0P/jCIixBnFNxdNcwgq4YcLcJD FjclvEZJE1dRzYVaIZ7dtUkK/HrcQynoSGPHyrEJXrWjDbeiZMi1SPhFNTeT2kR3 9a2oId2jO0ZamYJPQ4/EpUBsGIGoRMYit0ip36KkO/x4kfqKRD+2InjrvoaudBJr Hq/rtZNxRPAhDoGd1L3GgqWUPXdLX7pzRD3wrF7xN2q+qbWKpjbdmR/r2eenEcfr ouiDq1fwIyr7cY9+9/muO72qgsiKfFq8U+eoMT7fZiQHsZLDxuv19L+08m5Lg+Qg yTNleQVdTiiyHyAe4JH27Sv4sMsbi5T4+paVdlxSZbuQVGxWYIuX2YWSoNlPsYzg b8wQ2NPO8MJkl4UfDFPIK3QylvaffhyFirEwUizrkvRPVujVwRvCmE+U3aMVGYiH iaivhhHNE+QeSLogrFJm4JchYtHdUjgu4gIBkVs7nPdIwo1nbUT4dk9mMtxosIW5 rKmWijlYP8A0Rhpgd2Y9ORvpgt1IKqH+tZTxX2FO11M1rOvQiCkU4xokrjLIuwLO V3NLpRnW4KqJzLuKvud5Gc2U6bg3qLTJtw9xa1XiUCJAngBoSdL40OdarVywO4Ou NUCbBdSIG2hxTo2bU0yfT7mkTZS8kYDX8yS13vGs58Co0nmMTwiQ7yL4yBeR3pas QU3kWpjLjBGyaOHn5Zqu =Zoj9 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-lts-announce-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: https://lists.debian.org/alpine.DEB.2.02.1505302241220.21...