--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated ruby package fixes security issues Advisory ID: FLSA:152768 Issue date: 2005-05-12 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0755 CAN-2004-0983 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated ruby package that fixes security issues is now available. Ruby is an interpreted scripting language for object-oriented programming. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: A flaw was discovered in the CGI module of Ruby. If empty data is sent by the POST method to the CGI script which requires MIME type multipart/form-data, it can get stuck in a loop. A remote attacker could trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0983 to this issue. Andres Salomon reported an insecure file permissions flaw in the CGI session management of Ruby. FileStore created world readable files that could allow a malicious local user the ability to read CGI session data. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0755 to this issue. Users are advised to upgrade to this erratum package, which contains backported patches fixing these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152768 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ruby-1.6.7-5.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/irb-1.6.7-5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-1.6.7-5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-devel-1.6.7-5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-docs-1.6.7-5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-libs-1.6.7-5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-mode-1.6.7-5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-mode-xemacs-1.6.7-5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-tcltk-1.6.7-5.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ruby-1.6.8-6.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/irb-1.6.8-6.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-1.6.8-6.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-devel-1.6.8-6.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-docs-1.6.8-6.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-libs-1.6.8-6.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-mode-1.6.8-6.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-tcltk-1.6.8-6.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ruby-1.8.0-5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/irb-1.8.0-5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-1.8.0-5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-devel-1.8.0-5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-docs-1.8.0-5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-libs-1.8.0-5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-mode-1.8.0-5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-tcltk-1.8.0-5.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 20229f10316a40bf968cfd79e54326d9853d62fa redhat/7.3/updates/i386/irb-1.6.7-5.legacy.i386.rpm 9221938904eb3752f6f662793590d0fd485717a3 redhat/7.3/updates/i386/ruby-1.6.7-5.legacy.i386.rpm e75c9fb30e5cc1ce70cc626269ee694bdc4ea192 redhat/7.3/updates/i386/ruby-devel-1.6.7-5.legacy.i386.rpm 2f0efc45d8fc54bc2dd1be177c104e09f0869e5a redhat/7.3/updates/i386/ruby-docs-1.6.7-5.legacy.i386.rpm f57720143f0c3cc0414f35bac468d2a43a4f4ba5 redhat/7.3/updates/i386/ruby-libs-1.6.7-5.legacy.i386.rpm c54372b3e92143c6a485a1eaec28e88084feda1c redhat/7.3/updates/i386/ruby-mode-1.6.7-5.legacy.i386.rpm 074cef5949a3d172808a482a8ce0854c2f57dae9 redhat/7.3/updates/i386/ruby-mode-xemacs-1.6.7-5.legacy.i386.rpm 268350eb562c748eff321f7a60d4e8b2b35a75b4 redhat/7.3/updates/i386/ruby-tcltk-1.6.7-5.legacy.i386.rpm 27418dc877d16766d22fc1906ce15b9937d2d631 redhat/7.3/updates/SRPMS/ruby-1.6.7-5.legacy.src.rpm 2bdad0706f49449491a7e48158d8d2e5796fc043 redhat/9/updates/i386/irb-1.6.8-6.2.legacy.i386.rpm 3ff73cc2715e1e05b89c793a990d632a6e2d5ebc redhat/9/updates/i386/ruby-1.6.8-6.2.legacy.i386.rpm 4d9d86ee0b1393cd4d081404fb8905d0b58af1ec redhat/9/updates/i386/ruby-devel-1.6.8-6.2.legacy.i386.rpm f8c4d14d8bbc90e974824eb355f7031d6d988fbb redhat/9/updates/i386/ruby-docs-1.6.8-6.2.legacy.i386.rpm 679649deebf9ffcfbeadadf0797aa4becf19e61e redhat/9/updates/i386/ruby-libs-1.6.8-6.2.legacy.i386.rpm dda4147c16cbbb684a96e41393d2d2e9d162718d redhat/9/updates/i386/ruby-mode-1.6.8-6.2.legacy.i386.rpm 6146235cd606bbcccf6b5a0cfe3548aeccf06fa8 redhat/9/updates/i386/ruby-tcltk-1.6.8-6.2.legacy.i386.rpm 42a4bbd8fb1938e18fd74bb6681f161bdf563048 redhat/9/updates/SRPMS/ruby-1.6.8-6.2.legacy.src.rpm 04c2365f7f3e81d6301cea8202b6da93049d8830 fedora/1/updates/i386/irb-1.8.0-5.legacy.i386.rpm f316e376df3ec8ef4d36492f1059fc830116579a fedora/1/updates/i386/ruby-1.8.0-5.legacy.i386.rpm 99152c9afef3260c395d98918f6dce80cdde6b33 fedora/1/updates/i386/ruby-devel-1.8.0-5.legacy.i386.rpm db7227360fff6dd7bfa038732267296867bfc100 fedora/1/updates/i386/ruby-docs-1.8.0-5.legacy.i386.rpm a1cdd38cd7899553856b474ab8a83430be7c0416 fedora/1/updates/i386/ruby-libs-1.8.0-5.legacy.i386.rpm ee5fb8899a19891ad523a0eedaa2b91ce9e99bd4 fedora/1/updates/i386/ruby-mode-1.8.0-5.legacy.i386.rpm b04a2aab214b5acdcc244efd13953dca51255d64 fedora/1/updates/i386/ruby-tcltk-1.8.0-5.legacy.i386.rpm e0776a0929040910b9059993a26ada0008f641c6 fedora/1/updates/SRPMS/ruby-1.8.0-5.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0983 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature