Advisory Published

RHSA-2008:0897: Moderate: ruby security update

First published: Tue Oct 21 2008(Updated: )

Ruby is an interpreted scripting language for quick and easy<br>object-oriented programming.<br>The Ruby DNS resolver library, resolv.rb, used predictable transaction IDs<br>and a fixed source port when sending DNS requests. A remote attacker could<br>use this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905)<br>Ruby's XML document parsing module (REXML) was prone to a denial of service<br>attack via XML documents with large XML entity definitions recursion. A<br>specially-crafted XML file could cause a Ruby application using the REXML<br>module to use an excessive amount of CPU and memory. (CVE-2008-3790)<br>An insufficient "taintness" check flaw was discovered in Ruby's DL module,<br>which provides direct access to the C language functions. An attacker could<br>use this flaw to bypass intended safe-level restrictions by calling<br>external C functions with the arguments from an untrusted tainted inputs.<br>(CVE-2008-3657)<br>A denial of service flaw was discovered in WEBrick, Ruby's HTTP server<br>toolkit. A remote attacker could send a specially-crafted HTTP request to a<br>WEBrick server that would cause the server to use an excessive amount of<br>CPU time. (CVE-2008-3656)<br>A number of flaws were found in the safe-level restrictions in Ruby. It<br>was possible for an attacker to create a carefully crafted malicious script<br>that can allow the bypass of certain safe-level restrictions. (CVE-2008-3655)<br>A denial of service flaw was found in Ruby's regular expression engine. If<br>a Ruby script tried to process a large amount of data via a regular<br>expression, it could cause Ruby to enter an infinite-loop and crash.<br>(CVE-2008-3443)<br>Users of ruby should upgrade to these updated packages, which contain<br>backported patches to resolve these issues.

Affected SoftwareAffected VersionHow to fix
redhat/ruby<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-devel<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-devel<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-docs<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-irb<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-libs<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-libs<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-mode<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-rdoc<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-ri<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-tcltk<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-docs<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-irb<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-mode<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-rdoc<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-ri<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby-tcltk<1.8.5-5.el5_2.5
1.8.5-5.el5_2.5
redhat/ruby<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/irb<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby-devel<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby-docs<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby-libs<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby-libs<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby-mode<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby-tcltk<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/irb<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby-devel<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby-docs<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby-mode<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1
redhat/ruby-tcltk<1.8.1-7.el4_7.1
1.8.1-7.el4_7.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203