[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

RHSA-2011:0908-01 -- Redhat ruby

ID: oval:org.secpod.oval:def:500064Date: (C)2012-01-31   (M)2023-08-09
Class: PATCHFamily: unix




Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in the way large amounts of memory were allocated on 64-bit systems when using the BigDecimal class. A context-dependent attacker could use this flaw to cause memory corruption, causing a Ruby application that uses the BigDecimal class to crash or, possibly, execute arbitrary code. This issue did not affect 32-bit systems. It was found that WEBrick did not filter terminal escape sequences from its log files. A remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the WEBrick log files. If a victim viewed the log files with a terminal emulator, it could result in control characters being executed with the privileges of that user. A cross-site scripting flaw was found in the way WEBrick displayed error pages. A remote attacker could use this flaw to perform a cross-site scripting attack against victims by tricking them into visiting a specially-crafted URL. A flaw was found in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted code to modify arbitrary, trusted strings, which safe level 4 restrictions would otherwise prevent. Red Hat would like to thank Drew Yao of Apple Product Security for reporting the CVE-2011-0188 and CVE-2010-0541 issues. All Ruby users should upgrade to these updated packages, which contain backported patches to resolve these issues.

Platform:
Red Hat Enterprise Linux 4
Product:
ruby
Reference:
RHSA-2011:0908-01
CVE-2009-4492
CVE-2010-0541
CVE-2011-0188
CVE-2011-1005
CVE    4
CVE-2011-1005
CVE-2009-4492
CVE-2010-0541
CVE-2011-0188
...
CPE    1
cpe:/o:redhat:enterprise_linux:4

© SecPod Technologies