Nom du paquet
ruby
Date
2013-07-26
Advisory ID
MDVSA-2013:200
Affected versions
MES5 i586 , MES5 x86_64

Problem description

Multiple vulnerabilities has been discovered and corrected in ruby:

The safe-level feature in Ruby 1.8.7 allows context-dependent attackers
to modify strings via the NameError#to_s method when operating on
Ruby objects. NOTE: this issue is due to an incomplete fix for
CVE-2011-1005 (CVE-2012-4481).

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows
remote attackers to cause a denial of service (memory consumption and
crash) via crafted text nodes in an XML document, aka an XML Entity
Expansion (XEE) attack (CVE-2013-1821).

A flaw was found in Ruby's SSL client's hostname identity check
when handling certificates that contain hostnames with NULL
bytes. An attacker could potentially exploit this flaw to conduct
man-in-the-middle attacks to spoof SSL servers. Note that to exploit
this issue, an attacker would need to obtain a carefully-crafted
certificate signed by an authority that the client trusts
(CVE-2013-4073).

The updated packages have been patched to correct these issues.

Updated packages

MES5 i586

 54efd9d04ac7a92a38c9a531c0a5b956  mes5/i586/ruby-1.8.7-7p72.6mdvmes5.2.i586.rpm
 6ca399ef73a5df70b24e8a54bc7e9184  mes5/i586/ruby-devel-1.8.7-7p72.6mdvmes5.2.i586.rpm
 4e6ceeba8349c5ed2d9965dc9e7dca33  mes5/i586/ruby-doc-1.8.7-7p72.6mdvmes5.2.i586.rpm
 cca93669e5f564c35d04d3427aa9b0bd  mes5/i586/ruby-tk-1.8.7-7p72.6mdvmes5.2.i586.rpm 
 01677fdc63909deddc5584aab63d6b9a  mes5/SRPMS/ruby-1.8.7-7p72.6mdvmes5.2.src.rpm

MES5 x86_64

 c25ab3890d672abcdf3415e38f0ccfa9  mes5/x86_64/ruby-1.8.7-7p72.6mdvmes5.2.x86_64.rpm
 1dbfd59b83e2d53382d3f5ebb524e942  mes5/x86_64/ruby-devel-1.8.7-7p72.6mdvmes5.2.x86_64.rpm
 1eb316b715f155b09dcf0e75791be3e0  mes5/x86_64/ruby-doc-1.8.7-7p72.6mdvmes5.2.x86_64.rpm
 091949b18bf3b6963224991677996f24  mes5/x86_64/ruby-tk-1.8.7-7p72.6mdvmes5.2.x86_64.rpm 
 01677fdc63909deddc5584aab63d6b9a  mes5/SRPMS/ruby-1.8.7-7p72.6mdvmes5.2.src.rpm

References