[FLSA-2005:152768] Updated ruby package fixes security issues

From: Marc Deslauriers (marcdeslauriers_at_videotron.ca)
Date: 05/13/05

  • Next message: Morinex Eneco: "Skull-Splitter's Guestbook Multiple XXS/HTML injection"
    Date: Thu, 12 May 2005 20:36:37 -0400
    To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
    
    
    

    ---------------------------------------------------------------------
                   Fedora Legacy Update Advisory

    Synopsis: Updated ruby package fixes security issues
    Advisory ID: FLSA:152768
    Issue date: 2005-05-12
    Product: Red Hat Linux, Fedora Core
    Keywords: Bugfix
    CVE Names: CAN-2004-0755 CAN-2004-0983
    ---------------------------------------------------------------------

    ---------------------------------------------------------------------
    1. Topic:

    An updated ruby package that fixes security issues is now available.

    Ruby is an interpreted scripting language for object-oriented
    programming.

    2. Relevant releases/architectures:

    Red Hat Linux 7.3 - i386
    Red Hat Linux 9 - i386
    Fedora Core 1 - i386

    3. Problem description:

    A flaw was discovered in the CGI module of Ruby. If empty data is sent
    by the POST method to the CGI script which requires MIME type
    multipart/form-data, it can get stuck in a loop. A remote attacker could
    trigger this flaw and cause a denial of service. The Common
    Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
    name CAN-2004-0983 to this issue.

    Andres Salomon reported an insecure file permissions flaw in the CGI
    session management of Ruby. FileStore created world readable files that
    could allow a malicious local user the ability to read CGI session data.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2004-0755 to this issue.

    Users are advised to upgrade to this erratum package, which contains
    backported patches fixing these issues.

    4. Solution:

    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.

    To update all RPMs for your particular architecture, run:

    rpm -Fvh [filenames]

    where [filenames] is a list of the RPMs you wish to upgrade. Only those
    RPMs which are currently installed will be updated. Those RPMs which
    are not installed but included in the list will not be updated. Note
    that you can also use wildcards (*.rpm) if your current directory *only*
    contains the desired RPMs.

    Please note that this update is also available via yum and apt. Many
    people find this an easier way to apply updates. To use yum issue:

    yum update

    or to use apt:

    apt-get update; apt-get upgrade

    This will start an interactive process that will result in the
    appropriate RPMs being upgraded on your system. This assumes that you
    have yum or apt-get configured for obtaining Fedora Legacy content.
    Please visit http://www.fedoralegacy.org/docs for directions on how to
    configure yum and apt-get.

    5. Bug IDs fixed:

    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152768

    6. RPMs required:

    Red Hat Linux 7.3:
    SRPM:
    http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ruby-1.6.7-5.legacy.src.rpm

    i386:
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/irb-1.6.7-5.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-1.6.7-5.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-devel-1.6.7-5.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-docs-1.6.7-5.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-libs-1.6.7-5.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-mode-1.6.7-5.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-mode-xemacs-1.6.7-5.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-tcltk-1.6.7-5.legacy.i386.rpm

    Red Hat Linux 9:

    SRPM:
    http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ruby-1.6.8-6.2.legacy.src.rpm

    i386:
    http://download.fedoralegacy.org/redhat/9/updates/i386/irb-1.6.8-6.2.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-1.6.8-6.2.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-devel-1.6.8-6.2.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-docs-1.6.8-6.2.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-libs-1.6.8-6.2.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-mode-1.6.8-6.2.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-tcltk-1.6.8-6.2.legacy.i386.rpm

    Fedora Core 1:

    SRPM:
    http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ruby-1.8.0-5.legacy.src.rpm

    i386:
    http://download.fedoralegacy.org/fedora/1/updates/i386/irb-1.8.0-5.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-1.8.0-5.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-devel-1.8.0-5.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-docs-1.8.0-5.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-libs-1.8.0-5.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-mode-1.8.0-5.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-tcltk-1.8.0-5.legacy.i386.rpm

    7. Verification:

    SHA1 sum Package Name
    ---------------------------------------------------------------------

    20229f10316a40bf968cfd79e54326d9853d62fa
    redhat/7.3/updates/i386/irb-1.6.7-5.legacy.i386.rpm
    9221938904eb3752f6f662793590d0fd485717a3
    redhat/7.3/updates/i386/ruby-1.6.7-5.legacy.i386.rpm
    e75c9fb30e5cc1ce70cc626269ee694bdc4ea192
    redhat/7.3/updates/i386/ruby-devel-1.6.7-5.legacy.i386.rpm
    2f0efc45d8fc54bc2dd1be177c104e09f0869e5a
    redhat/7.3/updates/i386/ruby-docs-1.6.7-5.legacy.i386.rpm
    f57720143f0c3cc0414f35bac468d2a43a4f4ba5
    redhat/7.3/updates/i386/ruby-libs-1.6.7-5.legacy.i386.rpm
    c54372b3e92143c6a485a1eaec28e88084feda1c
    redhat/7.3/updates/i386/ruby-mode-1.6.7-5.legacy.i386.rpm
    074cef5949a3d172808a482a8ce0854c2f57dae9
    redhat/7.3/updates/i386/ruby-mode-xemacs-1.6.7-5.legacy.i386.rpm
    268350eb562c748eff321f7a60d4e8b2b35a75b4
    redhat/7.3/updates/i386/ruby-tcltk-1.6.7-5.legacy.i386.rpm
    27418dc877d16766d22fc1906ce15b9937d2d631
    redhat/7.3/updates/SRPMS/ruby-1.6.7-5.legacy.src.rpm
    2bdad0706f49449491a7e48158d8d2e5796fc043
    redhat/9/updates/i386/irb-1.6.8-6.2.legacy.i386.rpm
    3ff73cc2715e1e05b89c793a990d632a6e2d5ebc
    redhat/9/updates/i386/ruby-1.6.8-6.2.legacy.i386.rpm
    4d9d86ee0b1393cd4d081404fb8905d0b58af1ec
    redhat/9/updates/i386/ruby-devel-1.6.8-6.2.legacy.i386.rpm
    f8c4d14d8bbc90e974824eb355f7031d6d988fbb
    redhat/9/updates/i386/ruby-docs-1.6.8-6.2.legacy.i386.rpm
    679649deebf9ffcfbeadadf0797aa4becf19e61e
    redhat/9/updates/i386/ruby-libs-1.6.8-6.2.legacy.i386.rpm
    dda4147c16cbbb684a96e41393d2d2e9d162718d
    redhat/9/updates/i386/ruby-mode-1.6.8-6.2.legacy.i386.rpm
    6146235cd606bbcccf6b5a0cfe3548aeccf06fa8
    redhat/9/updates/i386/ruby-tcltk-1.6.8-6.2.legacy.i386.rpm
    42a4bbd8fb1938e18fd74bb6681f161bdf563048
    redhat/9/updates/SRPMS/ruby-1.6.8-6.2.legacy.src.rpm
    04c2365f7f3e81d6301cea8202b6da93049d8830
    fedora/1/updates/i386/irb-1.8.0-5.legacy.i386.rpm
    f316e376df3ec8ef4d36492f1059fc830116579a
    fedora/1/updates/i386/ruby-1.8.0-5.legacy.i386.rpm
    99152c9afef3260c395d98918f6dce80cdde6b33
    fedora/1/updates/i386/ruby-devel-1.8.0-5.legacy.i386.rpm
    db7227360fff6dd7bfa038732267296867bfc100
    fedora/1/updates/i386/ruby-docs-1.8.0-5.legacy.i386.rpm
    a1cdd38cd7899553856b474ab8a83430be7c0416
    fedora/1/updates/i386/ruby-libs-1.8.0-5.legacy.i386.rpm
    ee5fb8899a19891ad523a0eedaa2b91ce9e99bd4
    fedora/1/updates/i386/ruby-mode-1.8.0-5.legacy.i386.rpm
    b04a2aab214b5acdcc244efd13953dca51255d64
    fedora/1/updates/i386/ruby-tcltk-1.8.0-5.legacy.i386.rpm
    e0776a0929040910b9059993a26ada0008f641c6
    fedora/1/updates/SRPMS/ruby-1.8.0-5.legacy.src.rpm

    These packages are GPG signed by Fedora Legacy for security. Our key is
    available from http://www.fedoralegacy.org/about/security.php

    You can verify each package with the following command:

        rpm --checksig -v <filename>

    If you only wish to verify that each package has not been corrupted or
    tampered with, examine only the sha1sum with the following command:

        sha1sum <filename>

    8. References:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0983

    9. Contact:

    The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
    project details at http://www.fedoralegacy.org

    ---------------------------------------------------------------------

    
    



  • Next message: Morinex Eneco: "Skull-Splitter's Guestbook Multiple XXS/HTML injection"

    Relevant Pages