<<< Date Index >>>     <<< Thread Index >>>

[FLSA-2005:152768] Updated ruby package fixes security issues



---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated ruby package fixes security issues
Advisory ID:       FLSA:152768
Issue date:        2005-05-12
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
CVE Names:         CAN-2004-0755 CAN-2004-0983
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

An updated ruby package that fixes security issues is now available.

Ruby is an interpreted scripting language for object-oriented
programming.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

A flaw was discovered in the CGI module of Ruby. If empty data is sent
by the POST method to the CGI script which requires MIME type
multipart/form-data, it can get stuck in a loop. A remote attacker could
trigger this flaw and cause a denial of service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0983 to this issue.

Andres Salomon reported an insecure file permissions flaw in the CGI
session management of Ruby. FileStore created world readable files that
could allow a malicious local user the ability to read CGI session data.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0755 to this issue.

Users are advised to upgrade to this erratum package, which contains
backported patches fixing these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152768

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ruby-1.6.7-5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/irb-1.6.7-5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-1.6.7-5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-devel-1.6.7-5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-docs-1.6.7-5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-libs-1.6.7-5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-mode-1.6.7-5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-mode-xemacs-1.6.7-5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ruby-tcltk-1.6.7-5.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ruby-1.6.8-6.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/irb-1.6.8-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-1.6.8-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-devel-1.6.8-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-docs-1.6.8-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-libs-1.6.8-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-mode-1.6.8-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ruby-tcltk-1.6.8-6.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ruby-1.8.0-5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/irb-1.8.0-5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-1.8.0-5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-devel-1.8.0-5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-docs-1.8.0-5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-libs-1.8.0-5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-mode-1.8.0-5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ruby-tcltk-1.8.0-5.legacy.i386.rpm


7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------

20229f10316a40bf968cfd79e54326d9853d62fa
redhat/7.3/updates/i386/irb-1.6.7-5.legacy.i386.rpm
9221938904eb3752f6f662793590d0fd485717a3
redhat/7.3/updates/i386/ruby-1.6.7-5.legacy.i386.rpm
e75c9fb30e5cc1ce70cc626269ee694bdc4ea192
redhat/7.3/updates/i386/ruby-devel-1.6.7-5.legacy.i386.rpm
2f0efc45d8fc54bc2dd1be177c104e09f0869e5a
redhat/7.3/updates/i386/ruby-docs-1.6.7-5.legacy.i386.rpm
f57720143f0c3cc0414f35bac468d2a43a4f4ba5
redhat/7.3/updates/i386/ruby-libs-1.6.7-5.legacy.i386.rpm
c54372b3e92143c6a485a1eaec28e88084feda1c
redhat/7.3/updates/i386/ruby-mode-1.6.7-5.legacy.i386.rpm
074cef5949a3d172808a482a8ce0854c2f57dae9
redhat/7.3/updates/i386/ruby-mode-xemacs-1.6.7-5.legacy.i386.rpm
268350eb562c748eff321f7a60d4e8b2b35a75b4
redhat/7.3/updates/i386/ruby-tcltk-1.6.7-5.legacy.i386.rpm
27418dc877d16766d22fc1906ce15b9937d2d631
redhat/7.3/updates/SRPMS/ruby-1.6.7-5.legacy.src.rpm
2bdad0706f49449491a7e48158d8d2e5796fc043
redhat/9/updates/i386/irb-1.6.8-6.2.legacy.i386.rpm
3ff73cc2715e1e05b89c793a990d632a6e2d5ebc
redhat/9/updates/i386/ruby-1.6.8-6.2.legacy.i386.rpm
4d9d86ee0b1393cd4d081404fb8905d0b58af1ec
redhat/9/updates/i386/ruby-devel-1.6.8-6.2.legacy.i386.rpm
f8c4d14d8bbc90e974824eb355f7031d6d988fbb
redhat/9/updates/i386/ruby-docs-1.6.8-6.2.legacy.i386.rpm
679649deebf9ffcfbeadadf0797aa4becf19e61e
redhat/9/updates/i386/ruby-libs-1.6.8-6.2.legacy.i386.rpm
dda4147c16cbbb684a96e41393d2d2e9d162718d
redhat/9/updates/i386/ruby-mode-1.6.8-6.2.legacy.i386.rpm
6146235cd606bbcccf6b5a0cfe3548aeccf06fa8
redhat/9/updates/i386/ruby-tcltk-1.6.8-6.2.legacy.i386.rpm
42a4bbd8fb1938e18fd74bb6681f161bdf563048
redhat/9/updates/SRPMS/ruby-1.6.8-6.2.legacy.src.rpm
04c2365f7f3e81d6301cea8202b6da93049d8830
fedora/1/updates/i386/irb-1.8.0-5.legacy.i386.rpm
f316e376df3ec8ef4d36492f1059fc830116579a
fedora/1/updates/i386/ruby-1.8.0-5.legacy.i386.rpm
99152c9afef3260c395d98918f6dce80cdde6b33
fedora/1/updates/i386/ruby-devel-1.8.0-5.legacy.i386.rpm
db7227360fff6dd7bfa038732267296867bfc100
fedora/1/updates/i386/ruby-docs-1.8.0-5.legacy.i386.rpm
a1cdd38cd7899553856b474ab8a83430be7c0416
fedora/1/updates/i386/ruby-libs-1.8.0-5.legacy.i386.rpm
ee5fb8899a19891ad523a0eedaa2b91ce9e99bd4
fedora/1/updates/i386/ruby-mode-1.8.0-5.legacy.i386.rpm
b04a2aab214b5acdcc244efd13953dca51255d64
fedora/1/updates/i386/ruby-tcltk-1.8.0-5.legacy.i386.rpm
e0776a0929040910b9059993a26ada0008f641c6
fedora/1/updates/SRPMS/ruby-1.8.0-5.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0983

9. Contact:

The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

Attachment: signature.asc
Description: OpenPGP digital signature