[RHSA-2008:0897-01] Moderate: ruby security update

news · October 21, 2008

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

=====================================================================

Red Hat Security Advisory

Synopsis: Moderate: ruby security update

Advisory ID: RHSA-2008:0897-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0897.html

Issue date: 2008-10-21

CVE Names: CVE-2008-3443 CVE-2008-3655 CVE-2008-3656

CVE-2008-3657 CVE-2008-3790 CVE-2008-3905

=====================================================================

1. Summary:

Updated ruby packages that fix several security issues are now available

for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red

Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64

Red Hat Enterprise Linux Desktop version 4 - i386, x86_64

Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64

Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

RHEL Desktop Workstation (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Description:

Ruby is an interpreted scripting language for quick and easy

object-oriented programming.

The Ruby DNS resolver library, resolv.rb, used predictable transaction IDs

and a fixed source port when sending DNS requests. A remote attacker could

use this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905)

Ruby's XML document parsing module (REXML) was prone to a denial of service

attack via XML documents with large XML entity definitions recursion. A

specially-crafted XML file could cause a Ruby application using the REXML

module to use an excessive amount of CPU and memory. (CVE-2008-3790)

An insufficient "taintness" check flaw was discovered in Ruby's DL module,

which provides direct access to the C language functions. An attacker could

use this flaw to bypass intended safe-level restrictions by calling

external C functions with the arguments from an untrusted tainted inputs.

(CVE-2008-3657)

A denial of service flaw was discovered in WEBrick, Ruby's HTTP server

toolkit. A remote attacker could send a specially-crafted HTTP request to a

WEBrick server that would cause the server to use an excessive amount of

CPU time. (CVE-2008-3656)

A number of flaws were found in the safe-level restrictions in Ruby. It

was possible for an attacker to create a carefully crafted malicious script

that can allow the bypass of certain safe-level restrictions. (CVE-2008-3655)

A denial of service flaw was found in Ruby's regular expression engine. If

a Ruby script tried to process a large amount of data via a regular

expression, it could cause Ruby to enter an infinite-loop and crash.

(CVE-2008-3443)

Users of ruby should upgrade to these updated packages, which contain

backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-released

errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use

the Red Hat Network to apply this update are available at

http://kbase.redhat.com/faq/FAQ_58_10188

5. Bugs fixed (http://bugzilla.redhat.com/):

458948 - CVE-2008-3655 ruby: multiple insufficient safe mode restrictions

458953 - CVE-2008-3656 ruby: WEBrick DoS vulnerability (CPU consumption)

458966 - CVE-2008-3657 ruby: missing "taintness" checks in dl module

459266 - CVE-2008-3443 ruby: Memory allocation failure in Ruby regex engine (remotely exploitable DoS)

460134 - CVE-2008-3790 ruby: DoS vulnerability in the REXML module

461495 - CVE-2008-3905 ruby: use of predictable source port and transaction id in DNS requests done by resolv.rb module

6. Package List:

Red Hat Enterprise Linux AS version 4:

Source:

ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/ruby-1.8.1-7.el4_7.1.src.rpm

i386:

irb-1.8.1-7.el4_7.1.i386.rpm

ruby-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-devel-1.8.1-7.el4_7.1.i386.rpm

ruby-docs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-mode-1.8.1-7.el4_7.1.i386.rpm

ruby-tcltk-1.8.1-7.el4_7.1.i386.rpm

ia64:

irb-1.8.1-7.el4_7.1.ia64.rpm

ruby-1.8.1-7.el4_7.1.ia64.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.ia64.rpm

ruby-devel-1.8.1-7.el4_7.1.ia64.rpm

ruby-docs-1.8.1-7.el4_7.1.ia64.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.ia64.rpm

ruby-mode-1.8.1-7.el4_7.1.ia64.rpm

ruby-tcltk-1.8.1-7.el4_7.1.ia64.rpm

ppc:

irb-1.8.1-7.el4_7.1.ppc.rpm

ruby-1.8.1-7.el4_7.1.ppc.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.ppc.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.ppc64.rpm

ruby-devel-1.8.1-7.el4_7.1.ppc.rpm

ruby-docs-1.8.1-7.el4_7.1.ppc.rpm

ruby-libs-1.8.1-7.el4_7.1.ppc.rpm

ruby-libs-1.8.1-7.el4_7.1.ppc64.rpm

ruby-mode-1.8.1-7.el4_7.1.ppc.rpm

ruby-tcltk-1.8.1-7.el4_7.1.ppc.rpm

s390:

irb-1.8.1-7.el4_7.1.s390.rpm

ruby-1.8.1-7.el4_7.1.s390.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.s390.rpm

ruby-devel-1.8.1-7.el4_7.1.s390.rpm

ruby-docs-1.8.1-7.el4_7.1.s390.rpm

ruby-libs-1.8.1-7.el4_7.1.s390.rpm

ruby-mode-1.8.1-7.el4_7.1.s390.rpm

ruby-tcltk-1.8.1-7.el4_7.1.s390.rpm

s390x:

irb-1.8.1-7.el4_7.1.s390x.rpm

ruby-1.8.1-7.el4_7.1.s390x.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.s390.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.s390x.rpm

ruby-devel-1.8.1-7.el4_7.1.s390x.rpm

ruby-docs-1.8.1-7.el4_7.1.s390x.rpm

ruby-libs-1.8.1-7.el4_7.1.s390.rpm

ruby-libs-1.8.1-7.el4_7.1.s390x.rpm

ruby-mode-1.8.1-7.el4_7.1.s390x.rpm

ruby-tcltk-1.8.1-7.el4_7.1.s390x.rpm

x86_64:

irb-1.8.1-7.el4_7.1.x86_64.rpm

ruby-1.8.1-7.el4_7.1.x86_64.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.x86_64.rpm

ruby-devel-1.8.1-7.el4_7.1.x86_64.rpm

ruby-docs-1.8.1-7.el4_7.1.x86_64.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.x86_64.rpm

ruby-mode-1.8.1-7.el4_7.1.x86_64.rpm

ruby-tcltk-1.8.1-7.el4_7.1.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

Source:

ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/ruby-1.8.1-7.el4_7.1.src.rpm

i386:

irb-1.8.1-7.el4_7.1.i386.rpm

ruby-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-devel-1.8.1-7.el4_7.1.i386.rpm

ruby-docs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-mode-1.8.1-7.el4_7.1.i386.rpm

ruby-tcltk-1.8.1-7.el4_7.1.i386.rpm

x86_64:

irb-1.8.1-7.el4_7.1.x86_64.rpm

ruby-1.8.1-7.el4_7.1.x86_64.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.x86_64.rpm

ruby-devel-1.8.1-7.el4_7.1.x86_64.rpm

ruby-docs-1.8.1-7.el4_7.1.x86_64.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.x86_64.rpm

ruby-mode-1.8.1-7.el4_7.1.x86_64.rpm

ruby-tcltk-1.8.1-7.el4_7.1.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

Source:

ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/ruby-1.8.1-7.el4_7.1.src.rpm

i386:

irb-1.8.1-7.el4_7.1.i386.rpm

ruby-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-devel-1.8.1-7.el4_7.1.i386.rpm

ruby-docs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-mode-1.8.1-7.el4_7.1.i386.rpm

ruby-tcltk-1.8.1-7.el4_7.1.i386.rpm

ia64:

irb-1.8.1-7.el4_7.1.ia64.rpm

ruby-1.8.1-7.el4_7.1.ia64.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.ia64.rpm

ruby-devel-1.8.1-7.el4_7.1.ia64.rpm

ruby-docs-1.8.1-7.el4_7.1.ia64.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.ia64.rpm

ruby-mode-1.8.1-7.el4_7.1.ia64.rpm

ruby-tcltk-1.8.1-7.el4_7.1.ia64.rpm

x86_64:

irb-1.8.1-7.el4_7.1.x86_64.rpm

ruby-1.8.1-7.el4_7.1.x86_64.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.x86_64.rpm

ruby-devel-1.8.1-7.el4_7.1.x86_64.rpm

ruby-docs-1.8.1-7.el4_7.1.x86_64.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.x86_64.rpm

ruby-mode-1.8.1-7.el4_7.1.x86_64.rpm

ruby-tcltk-1.8.1-7.el4_7.1.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

Source:

ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/ruby-1.8.1-7.el4_7.1.src.rpm

i386:

irb-1.8.1-7.el4_7.1.i386.rpm

ruby-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-devel-1.8.1-7.el4_7.1.i386.rpm

ruby-docs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-mode-1.8.1-7.el4_7.1.i386.rpm

ruby-tcltk-1.8.1-7.el4_7.1.i386.rpm

ia64:

irb-1.8.1-7.el4_7.1.ia64.rpm

ruby-1.8.1-7.el4_7.1.ia64.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.ia64.rpm

ruby-devel-1.8.1-7.el4_7.1.ia64.rpm

ruby-docs-1.8.1-7.el4_7.1.ia64.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.ia64.rpm

ruby-mode-1.8.1-7.el4_7.1.ia64.rpm

ruby-tcltk-1.8.1-7.el4_7.1.ia64.rpm

x86_64:

irb-1.8.1-7.el4_7.1.x86_64.rpm

ruby-1.8.1-7.el4_7.1.x86_64.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.i386.rpm

ruby-debuginfo-1.8.1-7.el4_7.1.x86_64.rpm

ruby-devel-1.8.1-7.el4_7.1.x86_64.rpm

ruby-docs-1.8.1-7.el4_7.1.x86_64.rpm

ruby-libs-1.8.1-7.el4_7.1.i386.rpm

ruby-libs-1.8.1-7.el4_7.1.x86_64.rpm

ruby-mode-1.8.1-7.el4_7.1.x86_64.rpm

ruby-tcltk-1.8.1-7.el4_7.1.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ruby-1.8.5-5.el5_2.5.src.rpm

i386:

ruby-1.8.5-5.el5_2.5.i386.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.i386.rpm

ruby-docs-1.8.5-5.el5_2.5.i386.rpm

ruby-irb-1.8.5-5.el5_2.5.i386.rpm

ruby-libs-1.8.5-5.el5_2.5.i386.rpm

ruby-rdoc-1.8.5-5.el5_2.5.i386.rpm

ruby-ri-1.8.5-5.el5_2.5.i386.rpm

ruby-tcltk-1.8.5-5.el5_2.5.i386.rpm

x86_64:

ruby-1.8.5-5.el5_2.5.x86_64.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.i386.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.x86_64.rpm

ruby-docs-1.8.5-5.el5_2.5.x86_64.rpm

ruby-irb-1.8.5-5.el5_2.5.x86_64.rpm

ruby-libs-1.8.5-5.el5_2.5.i386.rpm

ruby-libs-1.8.5-5.el5_2.5.x86_64.rpm

ruby-rdoc-1.8.5-5.el5_2.5.x86_64.rpm

ruby-ri-1.8.5-5.el5_2.5.x86_64.rpm

ruby-tcltk-1.8.5-5.el5_2.5.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ruby-1.8.5-5.el5_2.5.src.rpm

i386:

ruby-debuginfo-1.8.5-5.el5_2.5.i386.rpm

ruby-devel-1.8.5-5.el5_2.5.i386.rpm

ruby-mode-1.8.5-5.el5_2.5.i386.rpm

x86_64:

ruby-debuginfo-1.8.5-5.el5_2.5.i386.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.x86_64.rpm

ruby-devel-1.8.5-5.el5_2.5.i386.rpm

ruby-devel-1.8.5-5.el5_2.5.x86_64.rpm

ruby-mode-1.8.5-5.el5_2.5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/ruby-1.8.5-5.el5_2.5.src.rpm

i386:

ruby-1.8.5-5.el5_2.5.i386.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.i386.rpm

ruby-devel-1.8.5-5.el5_2.5.i386.rpm

ruby-docs-1.8.5-5.el5_2.5.i386.rpm

ruby-irb-1.8.5-5.el5_2.5.i386.rpm

ruby-libs-1.8.5-5.el5_2.5.i386.rpm

ruby-mode-1.8.5-5.el5_2.5.i386.rpm

ruby-rdoc-1.8.5-5.el5_2.5.i386.rpm

ruby-ri-1.8.5-5.el5_2.5.i386.rpm

ruby-tcltk-1.8.5-5.el5_2.5.i386.rpm

ia64:

ruby-1.8.5-5.el5_2.5.ia64.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.ia64.rpm

ruby-devel-1.8.5-5.el5_2.5.ia64.rpm

ruby-docs-1.8.5-5.el5_2.5.ia64.rpm

ruby-irb-1.8.5-5.el5_2.5.ia64.rpm

ruby-libs-1.8.5-5.el5_2.5.ia64.rpm

ruby-mode-1.8.5-5.el5_2.5.ia64.rpm

ruby-rdoc-1.8.5-5.el5_2.5.ia64.rpm

ruby-ri-1.8.5-5.el5_2.5.ia64.rpm

ruby-tcltk-1.8.5-5.el5_2.5.ia64.rpm

ppc:

ruby-1.8.5-5.el5_2.5.ppc.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.ppc.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.ppc64.rpm

ruby-devel-1.8.5-5.el5_2.5.ppc.rpm

ruby-devel-1.8.5-5.el5_2.5.ppc64.rpm

ruby-docs-1.8.5-5.el5_2.5.ppc.rpm

ruby-irb-1.8.5-5.el5_2.5.ppc.rpm

ruby-libs-1.8.5-5.el5_2.5.ppc.rpm

ruby-libs-1.8.5-5.el5_2.5.ppc64.rpm

ruby-mode-1.8.5-5.el5_2.5.ppc.rpm

ruby-rdoc-1.8.5-5.el5_2.5.ppc.rpm

ruby-ri-1.8.5-5.el5_2.5.ppc.rpm

ruby-tcltk-1.8.5-5.el5_2.5.ppc.rpm

s390x:

ruby-1.8.5-5.el5_2.5.s390x.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.s390.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.s390x.rpm

ruby-devel-1.8.5-5.el5_2.5.s390.rpm

ruby-devel-1.8.5-5.el5_2.5.s390x.rpm

ruby-docs-1.8.5-5.el5_2.5.s390x.rpm

ruby-irb-1.8.5-5.el5_2.5.s390x.rpm

ruby-libs-1.8.5-5.el5_2.5.s390.rpm

ruby-libs-1.8.5-5.el5_2.5.s390x.rpm

ruby-mode-1.8.5-5.el5_2.5.s390x.rpm

ruby-rdoc-1.8.5-5.el5_2.5.s390x.rpm

ruby-ri-1.8.5-5.el5_2.5.s390x.rpm

ruby-tcltk-1.8.5-5.el5_2.5.s390x.rpm

x86_64:

ruby-1.8.5-5.el5_2.5.x86_64.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.i386.rpm

ruby-debuginfo-1.8.5-5.el5_2.5.x86_64.rpm

ruby-devel-1.8.5-5.el5_2.5.i386.rpm

ruby-devel-1.8.5-5.el5_2.5.x86_64.rpm

ruby-docs-1.8.5-5.el5_2.5.x86_64.rpm

ruby-irb-1.8.5-5.el5_2.5.x86_64.rpm

ruby-libs-1.8.5-5.el5_2.5.i386.rpm

ruby-libs-1.8.5-5.el5_2.5.x86_64.rpm

ruby-mode-1.8.5-5.el5_2.5.x86_64.rpm

ruby-rdoc-1.8.5-5.el5_2.5.x86_64.rpm

ruby-ri-1.8.5-5.el5_2.5.x86_64.rpm

ruby-tcltk-1.8.5-5.el5_2.5.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3443

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3655

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3656

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3657

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3905

http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact

details at https://www.redhat.com/security/team/contact/

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFI/e+UXlSAg2UNWIIRAhkmAKCipGrP/Td1I7HfBbBs9nbNOLSSqwCbBZ7x

YqlWKQvtkDOlTAE5C1RpHXc=

=NCZC

-----END PGP SIGNATURE-----

--

Sign In

[RHSA-2008:0897-01] Moderate: ruby security update

Recommended Posts

news 28

Share this post

Link to post

Please sign in to comment

Browse

Activity