RHSA-2013:0701: Moderate: ruby193-ruby, rubygem-json and rubygem-rdoc security update
First published: Tue Apr 02 2013(Updated: )
Ruby is an extensible, interpreted, object-oriented, scripting language. It<br>has features to process text files and to do system management tasks.<br>A flaw in rubygem-json and ruby193-rubygem-json allowed remote attacks by<br>creating different types of malicious objects. For example, it could<br>initiate a denial of service attack through resource consumption by using a<br>JSON document to create arbitrary Ruby symbols, which were never garbage<br>collected. It could also be exploited to create internal objects which<br>could allow a SQL injection attack. (CVE-2013-0269)<br>It was found that documentation created by rubygem-rdoc and<br>ruby193-rubygem-rdoc was vulnerable to a cross-site scripting (XSS) attack.<br>If such documentation was accessible over a network, and a remote attacker<br>could trick a user into visiting a specially-crafted URL, it would lead to<br>arbitrary web script execution in the context of the user's session. As<br>rubygem-rdoc and ruby193-rubygem-rdoc are used for creating documentation<br>for Ruby source files (such as classes, modules, and so on), it is not a<br>common scenario to make such documentation accessible over the network.<br>(CVE-2013-0256)<br>Red Hat would like to thank Ruby on Rails upstream for reporting<br>CVE-2013-0269, and Eric Hodel of RDoc upstream for reporting CVE-2013-0256.<br>Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the<br>original reporters of CVE-2013-0269, and Evgeny Ermakov as the original<br>reporter of CVE-2013-0256.<br>Users of Red Hat OpenShift Enterprise 1.1.3 are advised to upgrade to these<br>updated packages, which correct these issues.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ruby193-ruby | <1.9.3.327-28.el6 | 1.9.3.327-28.el6 |
| redhat/rubygem-json | <1.7.3-2.el6 | 1.7.3-2.el6 |
| redhat/rubygem-rdoc | <3.8-9.el6 | 3.8-9.el6 |
| redhat/ruby193-ruby | <1.9.3.327-28.el6 | 1.9.3.327-28.el6 |
| redhat/ruby193-ruby-debuginfo | <1.9.3.327-28.el6 | 1.9.3.327-28.el6 |
| redhat/ruby193-ruby-devel | <1.9.3.327-28.el6 | 1.9.3.327-28.el6 |
| redhat/ruby193-ruby-doc | <1.9.3.327-28.el6 | 1.9.3.327-28.el6 |
| redhat/ruby193-ruby-irb | <1.9.3.327-28.el6 | 1.9.3.327-28.el6 |
| redhat/ruby193-ruby-libs | <1.9.3.327-28.el6 | 1.9.3.327-28.el6 |
| redhat/ruby193-ruby-tcltk | <1.9.3.327-28.el6 | 1.9.3.327-28.el6 |
| redhat/ruby193-rubygem-bigdecimal | <1.1.0-28.el6 | 1.1.0-28.el6 |
| redhat/ruby193-rubygem-io-console | <0.3-28.el6 | 0.3-28.el6 |
| redhat/ruby193-rubygem-json | <1.5.4-28.el6 | 1.5.4-28.el6 |
| redhat/ruby193-rubygem-minitest | <2.5.1-28.el6 | 2.5.1-28.el6 |
| redhat/ruby193-rubygem-rake | <0.9.2.2-28.el6 | 0.9.2.2-28.el6 |
| redhat/ruby193-rubygem-rdoc | <3.9.4-28.el6 | 3.9.4-28.el6 |
| redhat/ruby193-rubygems | <1.8.23-28.el6 | 1.8.23-28.el6 |
| redhat/ruby193-rubygems-devel | <1.8.23-28.el6 | 1.8.23-28.el6 |
| redhat/rubygem-json-debuginfo | <1.7.3-2.el6 | 1.7.3-2.el6 |
| redhat/rubygem-json-doc | <1.7.3-2.el6 | 1.7.3-2.el6 |
| redhat/rubygem-rdoc-doc | <3.8-9.el6 | 3.8-9.el6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- anchor-id/RHSA-2013:0701
- package-manager/redhat