MDVSA-2011:098
- Package name
- ruby
- Date
- 2011-05-23
- Advisory ID
- MDVSA-2011:098
- Affected versions
- CS4.0 x86_64 , CS4.0 i586
Problem description
Multiple vulnerabilities have been identified and fixed in ruby:
Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server
in Ruby allows remote attackers to inject arbitrary web script or HTML
via a crafted URI that triggers a UTF-7 error page (CVE-2010-0541).
The safe-level feature in Ruby allows context-dependent attackers
to modify strings via the Exception#to_s method, as demonstrated by
changing an intended pathname (CVE-2011-1005).
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
Ruby does not properly allocate memory, which allows context-dependent
attackers to execute arbitrary code or cause a denial of service
(application crash) via vectors involving creation of a large
BigDecimal value within a 64-bit process, related to an integer
truncation issue. (CVE-2011-0188).
The updated packages have been patched to correct this issue.
Updated packages
CS4.0 x86_64
6ebbbe7111ed2f782a74e53d7852e9a7 corporate/4.0/x86_64/ruby-1.8.2-7.12.20060mlcs4.x86_64.rpm 9f41b5f45c53d4415b26a86e50abbdfc corporate/4.0/x86_64/ruby-devel-1.8.2-7.12.20060mlcs4.x86_64.rpm da424c6a5b676ab74a5eb88a945817ac corporate/4.0/x86_64/ruby-doc-1.8.2-7.12.20060mlcs4.x86_64.rpm 05be0c747d5fe9e18846c71c94f544b2 corporate/4.0/x86_64/ruby-tk-1.8.2-7.12.20060mlcs4.x86_64.rpm c47e659878782a2142d0aa895948cbdd corporate/4.0/SRPMS/ruby-1.8.2-7.12.20060mlcs4.src.rpm
CS4.0 i586
dfeb0f9357da8745785c0982b0712ce9 corporate/4.0/i586/ruby-1.8.2-7.12.20060mlcs4.i586.rpm 8f5e2bac1144b743427b0ec86e9d0bdc corporate/4.0/i586/ruby-devel-1.8.2-7.12.20060mlcs4.i586.rpm 0fe11def9c0d08c8be547b673382ab13 corporate/4.0/i586/ruby-doc-1.8.2-7.12.20060mlcs4.i586.rpm 71ef95ff361bded75e12ee0a43d76801 corporate/4.0/i586/ruby-tk-1.8.2-7.12.20060mlcs4.i586.rpm c47e659878782a2142d0aa895948cbdd corporate/4.0/SRPMS/ruby-1.8.2-7.12.20060mlcs4.src.rpm