__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Ruby Security Update [Red Hat RHSA-2008:0561-7] July 28, 2008 19:00 GMT Number S-344 ______________________________________________________________________________ PROBLEM: Multiple interger overflows to a heap overflow were discovered in the array- and string-handling code used by Ruby. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS, ES, WS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 4.0 (etch) DAMAGE: Execute arbitrary code or DoS. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker could use these flaws to crash ASSESSMENT: a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. ______________________________________________________________________________ CVSS 2 BASE SCORE: 6.8 TEMPORAL SCORE: 5.6 VECTOR: (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-344.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0561.html ADDITIONAL LINK: http://www.debian.org/security/2008/dsa-1618-1 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-2376 CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 ______________________________________________________________________________ REVISION HISTORY: 08/18/2008 - revised S-344 to add a link to Debian Security Advisory DSA-1618-1 for Debian GNU/Linux 4.0 (etch). [***** Start Red Hat RHSA-2008:0561-7 *****] Moderate: ruby security update Advisory: RHSA-2008:0561-7 Type: Security Advisory Severity: Moderate Issued on: 2008-07-14 Last updated on: 2008-07-14 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) OVAL: com.redhat.rhsa-20080561.xml CVEs (cve.mitre.org): CVE-2008-2376 CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 Details Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. Users of Ruby should upgrade to these updated packages, which contain a backported patch to resolve these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: ruby-devel-1.8.5-5.el5_2.3.i386.rpm f755c3511b6d9260efc6b5b5ae74ce91 ruby-mode-1.8.5-5.el5_2.3.i386.rpm 7ac882d65ae11560af873d5ef7b8f009 x86_64: ruby-devel-1.8.5-5.el5_2.3.i386.rpm f755c3511b6d9260efc6b5b5ae74ce91 ruby-devel-1.8.5-5.el5_2.3.x86_64.rpm f5fea8aa7b42ab5d9ae98d01a21b348f ruby-mode-1.8.5-5.el5_2.3.x86_64.rpm 5e0220e4cf82ba13744f795f9ebbdf77 Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: ruby-1.8.1-7.el4_6.1.src.rpm ca521cd1d9dbb44d362ee4a7c42a9ca0 IA-32: irb-1.8.1-7.el4_6.1.i386.rpm aa476683831cebc503b965f8655e7fb8 ruby-1.8.1-7.el4_6.1.i386.rpm 1ced50e6baff2ae27dc610ade4652a77 ruby-devel-1.8.1-7.el4_6.1.i386.rpm 67d4ad9115fdc4c8ca9f8d2c3c10ba1f ruby-docs-1.8.1-7.el4_6.1.i386.rpm a49464629b3858035974473e234fe562 ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-mode-1.8.1-7.el4_6.1.i386.rpm ab352ca6f4b7e1ccaca8fbb6578e3c1e ruby-tcltk-1.8.1-7.el4_6.1.i386.rpm e51243c17dc14a7b0582dac1fdfdc619 x86_64: irb-1.8.1-7.el4_6.1.x86_64.rpm 891038d9704c1dec627448642aae5dc2 ruby-1.8.1-7.el4_6.1.x86_64.rpm be002ddaef2c09e6a927611b47c4e9a0 ruby-devel-1.8.1-7.el4_6.1.x86_64.rpm f127c2d83f7b285f03c7dc1ac37e9968 ruby-docs-1.8.1-7.el4_6.1.x86_64.rpm d3d184ebb508acf0a8b68b0179998fdf ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-libs-1.8.1-7.el4_6.1.x86_64.rpm eed2737b95dc6b0da160436f0b3d73a0 ruby-mode-1.8.1-7.el4_6.1.x86_64.rpm 4035c0574ee29b94aac8f8b25255bc17 ruby-tcltk-1.8.1-7.el4_6.1.x86_64.rpm d473d4f32bc5d4ce424dea86f0734b57 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: ruby-1.8.5-5.el5_2.3.src.rpm 1aea1d9659f762a318d05e69846b19f5 IA-32: ruby-1.8.5-5.el5_2.3.i386.rpm 3f4d1ec07954f30708e036f2fcc40742 ruby-devel-1.8.5-5.el5_2.3.i386.rpm f755c3511b6d9260efc6b5b5ae74ce91 ruby-docs-1.8.5-5.el5_2.3.i386.rpm 08b612fa7cd2157967862d41c074234e ruby-irb-1.8.5-5.el5_2.3.i386.rpm 6655f4c0ee60d0237a5ff6a80edba27d ruby-libs-1.8.5-5.el5_2.3.i386.rpm 97e7ffb1bc261f9cd8547a583f417c5c ruby-mode-1.8.5-5.el5_2.3.i386.rpm 7ac882d65ae11560af873d5ef7b8f009 ruby-rdoc-1.8.5-5.el5_2.3.i386.rpm dcb170a72fce8b71da59577673a6b6d5 ruby-ri-1.8.5-5.el5_2.3.i386.rpm 2de72f66ceea3706b00de351c611b6c6 ruby-tcltk-1.8.5-5.el5_2.3.i386.rpm 3cbcfe1c4d688714cf313c678e3de4b0 IA-64: ruby-1.8.5-5.el5_2.3.ia64.rpm ceba63010a7429db5548062d1a471d1d ruby-devel-1.8.5-5.el5_2.3.ia64.rpm d49ad8fcb73d76bdf8b8ddf74ddda46f ruby-docs-1.8.5-5.el5_2.3.ia64.rpm 83e71ca80d79057a6a5b6bfbd218ea33 ruby-irb-1.8.5-5.el5_2.3.ia64.rpm f3f13a542210cff709e66aab6c0e9798 ruby-libs-1.8.5-5.el5_2.3.ia64.rpm 80473f5178af56715bb9f952623466bc ruby-mode-1.8.5-5.el5_2.3.ia64.rpm 3267562064bf3a1fdf255058efa911db ruby-rdoc-1.8.5-5.el5_2.3.ia64.rpm 65904dfdfa6957dc4402ee508544a80a ruby-ri-1.8.5-5.el5_2.3.ia64.rpm 0bdc2efbd26b1073b7cb7e272ab315f5 ruby-tcltk-1.8.5-5.el5_2.3.ia64.rpm 1efa9b7a24bc6b65df7b7d0e2fc57f51 PPC: ruby-1.8.5-5.el5_2.3.ppc.rpm a6f6fd4db8627c29b093a57859eecefe ruby-devel-1.8.5-5.el5_2.3.ppc.rpm 66518cfb8c16229e572af75817df2d40 ruby-devel-1.8.5-5.el5_2.3.ppc64.rpm 8b7856183240bc7f3650d6e930fac2ad ruby-docs-1.8.5-5.el5_2.3.ppc.rpm a29d3e0457b150effdee6af20bc02d82 ruby-irb-1.8.5-5.el5_2.3.ppc.rpm 277a36e4483713d2792bcf2214fdd9b2 ruby-libs-1.8.5-5.el5_2.3.ppc.rpm fb8b77fd2b4760fc24721d9036e60969 ruby-libs-1.8.5-5.el5_2.3.ppc64.rpm 8049b9f716a616e1d694a0d7acf7efb0 ruby-mode-1.8.5-5.el5_2.3.ppc.rpm 7372eb24e94fdce3ba07d80fc3c561ef ruby-rdoc-1.8.5-5.el5_2.3.ppc.rpm d14d444169a98b40cfb0d2aac119600c ruby-ri-1.8.5-5.el5_2.3.ppc.rpm c25b2deddc6fef55d2f3f6b6d8bd35d9 ruby-tcltk-1.8.5-5.el5_2.3.ppc.rpm b22ed04270dbebfd9b4047106f095f13 s390x: ruby-1.8.5-5.el5_2.3.s390x.rpm 23ee9255f21ff237232da2aad797ace2 ruby-devel-1.8.5-5.el5_2.3.s390.rpm 7d89c524ba8db732282fa88d92453329 ruby-devel-1.8.5-5.el5_2.3.s390x.rpm c02577c1120a4dae54aed16c7edb455b ruby-docs-1.8.5-5.el5_2.3.s390x.rpm 662e7769b7d5ab6be955c5d3a8a38198 ruby-irb-1.8.5-5.el5_2.3.s390x.rpm 4d74cb2716b7e6d6f6e9b8f09bf5862a ruby-libs-1.8.5-5.el5_2.3.s390.rpm d324ea547da0b29a029fd5e4d20d7a2e ruby-libs-1.8.5-5.el5_2.3.s390x.rpm 969f79b9e818fd40a75f2182fed3975f ruby-mode-1.8.5-5.el5_2.3.s390x.rpm 952740d9606b387ba948a7aac1e5781c ruby-rdoc-1.8.5-5.el5_2.3.s390x.rpm dd5aeb00a63712ea066b1853df9acda7 ruby-ri-1.8.5-5.el5_2.3.s390x.rpm 85f8c2361a1ece08c668bf2fffbbcdfe ruby-tcltk-1.8.5-5.el5_2.3.s390x.rpm ef98e6065ea95c2284372d96b4c4fbc4 x86_64: ruby-1.8.5-5.el5_2.3.x86_64.rpm 15a7695b7c6b0faf194a7e0ee45007ca ruby-devel-1.8.5-5.el5_2.3.i386.rpm f755c3511b6d9260efc6b5b5ae74ce91 ruby-devel-1.8.5-5.el5_2.3.x86_64.rpm f5fea8aa7b42ab5d9ae98d01a21b348f ruby-docs-1.8.5-5.el5_2.3.x86_64.rpm d127b0e74a3e7ca6ed82e35c9b2698b5 ruby-irb-1.8.5-5.el5_2.3.x86_64.rpm 4dc22a0766606957fd05a062a2a65afd ruby-libs-1.8.5-5.el5_2.3.i386.rpm 97e7ffb1bc261f9cd8547a583f417c5c ruby-libs-1.8.5-5.el5_2.3.x86_64.rpm 3bf1b77fce965f0488db9fc121dc4a1e ruby-mode-1.8.5-5.el5_2.3.x86_64.rpm 5e0220e4cf82ba13744f795f9ebbdf77 ruby-rdoc-1.8.5-5.el5_2.3.x86_64.rpm bccf280e775e7f247925a7bcc5aedcae ruby-ri-1.8.5-5.el5_2.3.x86_64.rpm c7a1d910ec1bb4c7a3e507caa8d7d768 ruby-tcltk-1.8.5-5.el5_2.3.x86_64.rpm b08fc3f477329b8c09ebfa2aec4eae40 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: ruby-1.8.1-7.el4_6.1.src.rpm ca521cd1d9dbb44d362ee4a7c42a9ca0 IA-32: irb-1.8.1-7.el4_6.1.i386.rpm aa476683831cebc503b965f8655e7fb8 ruby-1.8.1-7.el4_6.1.i386.rpm 1ced50e6baff2ae27dc610ade4652a77 ruby-devel-1.8.1-7.el4_6.1.i386.rpm 67d4ad9115fdc4c8ca9f8d2c3c10ba1f ruby-docs-1.8.1-7.el4_6.1.i386.rpm a49464629b3858035974473e234fe562 ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-mode-1.8.1-7.el4_6.1.i386.rpm ab352ca6f4b7e1ccaca8fbb6578e3c1e ruby-tcltk-1.8.1-7.el4_6.1.i386.rpm e51243c17dc14a7b0582dac1fdfdc619 IA-64: irb-1.8.1-7.el4_6.1.ia64.rpm 0f9097fc8cf06f306bec177e861cef88 ruby-1.8.1-7.el4_6.1.ia64.rpm aa9bf93dcdfcd55a031c98e81227308c ruby-devel-1.8.1-7.el4_6.1.ia64.rpm 8925cfe0ced5322a7a0fe78e7ab0e2fc ruby-docs-1.8.1-7.el4_6.1.ia64.rpm 168343a0020547ddec90ce093e6d7b8f ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-libs-1.8.1-7.el4_6.1.ia64.rpm 1102a72d595548dcc35a2d91954fb624 ruby-mode-1.8.1-7.el4_6.1.ia64.rpm 8c09034116bc91415d97086f3bd5f344 ruby-tcltk-1.8.1-7.el4_6.1.ia64.rpm c476180837f80a52418c45e3eee887df PPC: irb-1.8.1-7.el4_6.1.ppc.rpm d1cc6f7c0e2c297147ec6fc97c3e10b5 ruby-1.8.1-7.el4_6.1.ppc.rpm 20a7de9c06b2d12342ed807b1d3a6483 ruby-devel-1.8.1-7.el4_6.1.ppc.rpm e8514d1326d84fa378f22d11309c8116 ruby-docs-1.8.1-7.el4_6.1.ppc.rpm 6d10d607e184903543261196a98745a4 ruby-libs-1.8.1-7.el4_6.1.ppc.rpm 93202d216222bcc5621e1b52d8b72b2e ruby-libs-1.8.1-7.el4_6.1.ppc64.rpm 78cb7a08fa092df326ee87f3cd63cfdd ruby-mode-1.8.1-7.el4_6.1.ppc.rpm 913f0a6414bfafc4b7f50d338f980643 ruby-tcltk-1.8.1-7.el4_6.1.ppc.rpm bef5a01c0fa40d3e1e574d5b0d5c711d s390: irb-1.8.1-7.el4_6.1.s390.rpm 33b8f5b3c56a3803b7899d8cff6d6bdb ruby-1.8.1-7.el4_6.1.s390.rpm 0ebaaf2dcbfed074c93fbef2fbf4088c ruby-devel-1.8.1-7.el4_6.1.s390.rpm f88a9f7ea44a9f4df0fd7c28ba93667f ruby-docs-1.8.1-7.el4_6.1.s390.rpm a118bfef31391c6a6c770f1475aa1811 ruby-libs-1.8.1-7.el4_6.1.s390.rpm 9f526a7cd0236c95a61a64cf16082309 ruby-mode-1.8.1-7.el4_6.1.s390.rpm cc2de73e40faf21cd069c4e50e3d33e3 ruby-tcltk-1.8.1-7.el4_6.1.s390.rpm 4538c6c01b07ea0467cb43b62c6701d8 s390x: irb-1.8.1-7.el4_6.1.s390x.rpm a85405b2b78a0c59c4210427d2bf9d19 ruby-1.8.1-7.el4_6.1.s390x.rpm 2292804a32303179f77c7ee75038bb30 ruby-devel-1.8.1-7.el4_6.1.s390x.rpm 845f1eaa2c0320059b88ec11051db725 ruby-docs-1.8.1-7.el4_6.1.s390x.rpm 855c2648824de297804f1f61f6081bf6 ruby-libs-1.8.1-7.el4_6.1.s390.rpm 9f526a7cd0236c95a61a64cf16082309 ruby-libs-1.8.1-7.el4_6.1.s390x.rpm 0579a11fe2375925e81fe42a6bc4d6ae ruby-mode-1.8.1-7.el4_6.1.s390x.rpm 1be35f835c23636c844a125a807fbdab ruby-tcltk-1.8.1-7.el4_6.1.s390x.rpm 3d74975799921a4f1a7002113a6ccea6 x86_64: irb-1.8.1-7.el4_6.1.x86_64.rpm 891038d9704c1dec627448642aae5dc2 ruby-1.8.1-7.el4_6.1.x86_64.rpm be002ddaef2c09e6a927611b47c4e9a0 ruby-devel-1.8.1-7.el4_6.1.x86_64.rpm f127c2d83f7b285f03c7dc1ac37e9968 ruby-docs-1.8.1-7.el4_6.1.x86_64.rpm d3d184ebb508acf0a8b68b0179998fdf ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-libs-1.8.1-7.el4_6.1.x86_64.rpm eed2737b95dc6b0da160436f0b3d73a0 ruby-mode-1.8.1-7.el4_6.1.x86_64.rpm 4035c0574ee29b94aac8f8b25255bc17 ruby-tcltk-1.8.1-7.el4_6.1.x86_64.rpm d473d4f32bc5d4ce424dea86f0734b57 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: ruby-1.8.5-5.el5_2.3.src.rpm 1aea1d9659f762a318d05e69846b19f5 IA-32: ruby-1.8.5-5.el5_2.3.i386.rpm 3f4d1ec07954f30708e036f2fcc40742 ruby-docs-1.8.5-5.el5_2.3.i386.rpm 08b612fa7cd2157967862d41c074234e ruby-irb-1.8.5-5.el5_2.3.i386.rpm 6655f4c0ee60d0237a5ff6a80edba27d ruby-libs-1.8.5-5.el5_2.3.i386.rpm 97e7ffb1bc261f9cd8547a583f417c5c ruby-rdoc-1.8.5-5.el5_2.3.i386.rpm dcb170a72fce8b71da59577673a6b6d5 ruby-ri-1.8.5-5.el5_2.3.i386.rpm 2de72f66ceea3706b00de351c611b6c6 ruby-tcltk-1.8.5-5.el5_2.3.i386.rpm 3cbcfe1c4d688714cf313c678e3de4b0 x86_64: ruby-1.8.5-5.el5_2.3.x86_64.rpm 15a7695b7c6b0faf194a7e0ee45007ca ruby-docs-1.8.5-5.el5_2.3.x86_64.rpm d127b0e74a3e7ca6ed82e35c9b2698b5 ruby-irb-1.8.5-5.el5_2.3.x86_64.rpm 4dc22a0766606957fd05a062a2a65afd ruby-libs-1.8.5-5.el5_2.3.i386.rpm 97e7ffb1bc261f9cd8547a583f417c5c ruby-libs-1.8.5-5.el5_2.3.x86_64.rpm 3bf1b77fce965f0488db9fc121dc4a1e ruby-rdoc-1.8.5-5.el5_2.3.x86_64.rpm bccf280e775e7f247925a7bcc5aedcae ruby-ri-1.8.5-5.el5_2.3.x86_64.rpm c7a1d910ec1bb4c7a3e507caa8d7d768 ruby-tcltk-1.8.5-5.el5_2.3.x86_64.rpm b08fc3f477329b8c09ebfa2aec4eae40 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: ruby-1.8.1-7.el4_6.1.src.rpm ca521cd1d9dbb44d362ee4a7c42a9ca0 IA-32: irb-1.8.1-7.el4_6.1.i386.rpm aa476683831cebc503b965f8655e7fb8 ruby-1.8.1-7.el4_6.1.i386.rpm 1ced50e6baff2ae27dc610ade4652a77 ruby-devel-1.8.1-7.el4_6.1.i386.rpm 67d4ad9115fdc4c8ca9f8d2c3c10ba1f ruby-docs-1.8.1-7.el4_6.1.i386.rpm a49464629b3858035974473e234fe562 ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-mode-1.8.1-7.el4_6.1.i386.rpm ab352ca6f4b7e1ccaca8fbb6578e3c1e ruby-tcltk-1.8.1-7.el4_6.1.i386.rpm e51243c17dc14a7b0582dac1fdfdc619 IA-64: irb-1.8.1-7.el4_6.1.ia64.rpm 0f9097fc8cf06f306bec177e861cef88 ruby-1.8.1-7.el4_6.1.ia64.rpm aa9bf93dcdfcd55a031c98e81227308c ruby-devel-1.8.1-7.el4_6.1.ia64.rpm 8925cfe0ced5322a7a0fe78e7ab0e2fc ruby-docs-1.8.1-7.el4_6.1.ia64.rpm 168343a0020547ddec90ce093e6d7b8f ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-libs-1.8.1-7.el4_6.1.ia64.rpm 1102a72d595548dcc35a2d91954fb624 ruby-mode-1.8.1-7.el4_6.1.ia64.rpm 8c09034116bc91415d97086f3bd5f344 ruby-tcltk-1.8.1-7.el4_6.1.ia64.rpm c476180837f80a52418c45e3eee887df x86_64: irb-1.8.1-7.el4_6.1.x86_64.rpm 891038d9704c1dec627448642aae5dc2 ruby-1.8.1-7.el4_6.1.x86_64.rpm be002ddaef2c09e6a927611b47c4e9a0 ruby-devel-1.8.1-7.el4_6.1.x86_64.rpm f127c2d83f7b285f03c7dc1ac37e9968 ruby-docs-1.8.1-7.el4_6.1.x86_64.rpm d3d184ebb508acf0a8b68b0179998fdf ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-libs-1.8.1-7.el4_6.1.x86_64.rpm eed2737b95dc6b0da160436f0b3d73a0 ruby-mode-1.8.1-7.el4_6.1.x86_64.rpm 4035c0574ee29b94aac8f8b25255bc17 ruby-tcltk-1.8.1-7.el4_6.1.x86_64.rpm d473d4f32bc5d4ce424dea86f0734b57 Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: ruby-1.8.1-7.el4_6.1.src.rpm ca521cd1d9dbb44d362ee4a7c42a9ca0 IA-32: irb-1.8.1-7.el4_6.1.i386.rpm aa476683831cebc503b965f8655e7fb8 ruby-1.8.1-7.el4_6.1.i386.rpm 1ced50e6baff2ae27dc610ade4652a77 ruby-devel-1.8.1-7.el4_6.1.i386.rpm 67d4ad9115fdc4c8ca9f8d2c3c10ba1f ruby-docs-1.8.1-7.el4_6.1.i386.rpm a49464629b3858035974473e234fe562 ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-mode-1.8.1-7.el4_6.1.i386.rpm ab352ca6f4b7e1ccaca8fbb6578e3c1e ruby-tcltk-1.8.1-7.el4_6.1.i386.rpm e51243c17dc14a7b0582dac1fdfdc619 IA-64: irb-1.8.1-7.el4_6.1.ia64.rpm 0f9097fc8cf06f306bec177e861cef88 ruby-1.8.1-7.el4_6.1.ia64.rpm aa9bf93dcdfcd55a031c98e81227308c ruby-devel-1.8.1-7.el4_6.1.ia64.rpm 8925cfe0ced5322a7a0fe78e7ab0e2fc ruby-docs-1.8.1-7.el4_6.1.ia64.rpm 168343a0020547ddec90ce093e6d7b8f ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-libs-1.8.1-7.el4_6.1.ia64.rpm 1102a72d595548dcc35a2d91954fb624 ruby-mode-1.8.1-7.el4_6.1.ia64.rpm 8c09034116bc91415d97086f3bd5f344 ruby-tcltk-1.8.1-7.el4_6.1.ia64.rpm c476180837f80a52418c45e3eee887df x86_64: irb-1.8.1-7.el4_6.1.x86_64.rpm 891038d9704c1dec627448642aae5dc2 ruby-1.8.1-7.el4_6.1.x86_64.rpm be002ddaef2c09e6a927611b47c4e9a0 ruby-devel-1.8.1-7.el4_6.1.x86_64.rpm f127c2d83f7b285f03c7dc1ac37e9968 ruby-docs-1.8.1-7.el4_6.1.x86_64.rpm d3d184ebb508acf0a8b68b0179998fdf ruby-libs-1.8.1-7.el4_6.1.i386.rpm 0f1d526196630c209b1054e6965c5040 ruby-libs-1.8.1-7.el4_6.1.x86_64.rpm eed2737b95dc6b0da160436f0b3d73a0 ruby-mode-1.8.1-7.el4_6.1.x86_64.rpm 4035c0574ee29b94aac8f8b25255bc17 ruby-tcltk-1.8.1-7.el4_6.1.x86_64.rpm d473d4f32bc5d4ce424dea86f0734b57 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 450821 - CVE-2008-2662 ruby: Integer overflows in rb_str_buf_append() 450825 - CVE-2008-2663 ruby: Integer overflows in rb_ary_store() 450834 - CVE-2008-2664 ruby: Unsafe use of alloca in rb_str_format() 451821 - CVE-2008-2725 ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N 451828 - CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen 453589 - CVE-2008-2376 ruby: integer overflows in rb_ary_fill() / Array#fill References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726 http://www.redhat.com/security/updates/classification/#moderate -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2008:0561-7 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update