Package name
ruby
Date
2013-04-10
Advisory ID
MDVSA-2013:124
Affected versions
MBS1 x86_64

Problem description

Updated ruby packages fix security vulnerabilities:

Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed
untainted strings to be modified in protective safe levels. An
attacker could use this flaw to bypass intended access restrictions
(CVE-2012-4466, CVE-2012-4481).

It was discovered that Ruby's REXML library did not properly restrict
XML entity expansion. An attacker could use this flaw to cause a
denial of service by tricking a Ruby application using REXML to read
text nodes from specially-crafted XML content, which will result in
REXML consuming large amounts of system memory (CVE-2013-1821).

Updated packages

MBS1 x86_64

 eca1de4cfdf664a3df54083f7019eef6  mbs1/x86_64/ruby-1.8.7.p358-2.1.mbs1.x86_64.rpm
 7f4d4820b8c8908e91be5cfcf4bf21ae  mbs1/x86_64/ruby-devel-1.8.7.p358-2.1.mbs1.x86_64.rpm
 80079bf97c8414ad733a275cabf3d5e5  mbs1/x86_64/ruby-doc-1.8.7.p358-2.1.mbs1.noarch.rpm
 67f5798cb1e05bf34533e2b7a41c938e  mbs1/x86_64/ruby-tk-1.8.7.p358-2.1.mbs1.x86_64.rpm 
 b7c67e8c2262b2204aa8ad8a6d8b87a7  mbs1/SRPMS/ruby-1.8.7.p358-2.1.mbs1.src.rpm

References