===================================================================== CERT-Renater Note d'Information No. 2004/VULN494 _____________________________________________________________________ DATE : 18/11/2004 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running ruby. ====================================================================== _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: ruby Advisory ID: MDKSA-2004:128 Date: November 8th, 2004 Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1 ______________________________________________________________________ Problem Description: Andres Salomon noticed a problem with the CGI session management in Ruby. The CGI:Session's FileStore implementations store session information in an insecure manner by just creating files and ignoring permission issues (CAN-2004-0755). The ruby developers have corrected a problem in the ruby CGI module that can be triggered remotely and cause an inifinite loop on the server (CAN-2004-0983). The updated packages are patched to prevent these problems. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0983 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 78ad14ec966b0555089e94ad19604b44 10.0/RPMS/ruby-1.8.1-1.2.100mdk.i586.rpm 33d12ff3583ced4c88be97fb473b0813 10.0/RPMS/ruby-devel-1.8.1-1.2.100mdk.i586.rpm 776bfc4df4f2c093efceebe470391707 10.0/RPMS/ruby-doc-1.8.1-1.2.100mdk.i586.rpm 890a20e02c7f46b47adf6a8f78223659 10.0/RPMS/ruby-tk-1.8.1-1.2.100mdk.i586.rpm 35abe65664a41317a279ef320d56ac46 10.0/SRPMS/ruby-1.8.1-1.2.100mdk.src.rpm Mandrakelinux 10.0/AMD64: a264a378c30202cea578c9a4594b3eeb amd64/10.0/RPMS/ruby-1.8.1-1.2.100mdk.amd64.rpm 37bfe093ef80363bedba7b2dadf51bd6 amd64/10.0/RPMS/ruby-devel-1.8.1-1.2.100mdk.amd64.rpm f87a35ff158820c1e237306a76ad45c2 amd64/10.0/RPMS/ruby-doc-1.8.1-1.2.100mdk.amd64.rpm c2bed939a9ca7da197f949b71a3a1687 amd64/10.0/RPMS/ruby-tk-1.8.1-1.2.100mdk.amd64.rpm 35abe65664a41317a279ef320d56ac46 amd64/10.0/SRPMS/ruby-1.8.1-1.2.100mdk.src.rpm Mandrakelinux 10.1: 101f9a5772044b5267a1be98b36dcac5 10.1/RPMS/ruby-1.8.1-4.2.101mdk.i586.rpm 72c1c8413c801e599dfc174041754384 10.1/RPMS/ruby-devel-1.8.1-4.2.101mdk.i586.rpm b9c6fce1facc4bdbf829435b6075d266 10.1/RPMS/ruby-doc-1.8.1-4.2.101mdk.i586.rpm b2f516a033fb089f5a5819dcb9f2a38c 10.1/RPMS/ruby-tk-1.8.1-4.2.101mdk.i586.rpm d356531e89645a5aa9e2f5ad7dac55dd 10.1/SRPMS/ruby-1.8.1-4.2.101mdk.src.rpm Mandrakelinux 10.1/X86_64: dc340846e8c30a4ef9115eb7e20520c3 x86_64/10.1/RPMS/ruby-1.8.1-4.2.101mdk.x86_64.rpm 234644faf341899ae3f251cbfb09f0da x86_64/10.1/RPMS/ruby-devel-1.8.1-4.2.101mdk.x86_64.rpm b4b7876cc7762e09469e2d60ccb7f4f2 x86_64/10.1/RPMS/ruby-doc-1.8.1-4.2.101mdk.x86_64.rpm 4177169d6970c4dd3210ca8a15cffead x86_64/10.1/RPMS/ruby-tk-1.8.1-4.2.101mdk.x86_64.rpm d356531e89645a5aa9e2f5ad7dac55dd x86_64/10.1/SRPMS/ruby-1.8.1-4.2.101mdk.src.rpm Corporate Server 2.1: 8467a2a206b02e729e39601e1762af1c corporate/2.1/RPMS/ruby-1.6.7-5.2.C21mdk.i586.rpm 236abcc01b4cabc4f70bbf76d73a604b corporate/2.1/RPMS/ruby-devel-1.6.7-5.2.C21mdk.i586.rpm 47155447664218a143dca3f9c03c1316 corporate/2.1/RPMS/ruby-doc-1.6.7-5.2.C21mdk.i586.rpm 97ca9727e9f927e30723eeda3a935568 corporate/2.1/RPMS/ruby-tk-1.6.7-5.2.C21mdk.i586.rpm 451b383b9a34d35fb11bab1e917437de corporate/2.1/SRPMS/ruby-1.6.7-5.2.C21mdk.src.rpm Corporate Server 2.1/x86_64: 175f8a45c99de3487df134df6fb22ef4 x86_64/corporate/2.1/RPMS/ruby-1.6.7-5.2.C21mdk.x86_64.rpm 1d303628932bff75f684be71a6e453f1 x86_64/corporate/2.1/RPMS/ruby-devel-1.6.7-5.2.C21mdk.x86_64.rpm a937b87c10e5f3ecb41610e64b09c9ba x86_64/corporate/2.1/RPMS/ruby-doc-1.6.7-5.2.C21mdk.x86_64.rpm 40a44ec634f8929394835d5c561ad212 x86_64/corporate/2.1/RPMS/ruby-tk-1.6.7-5.2.C21mdk.x86_64.rpm 451b383b9a34d35fb11bab1e917437de x86_64/corporate/2.1/SRPMS/ruby-1.6.7-5.2.C21mdk.src.rpm Mandrakelinux 9.2: 6f8ee2c9308debe5b391b322f93e9524 9.2/RPMS/ruby-1.8.0-4.2.92mdk.i586.rpm 58cabdd982a8c760e7af0fb5e81d9dc7 9.2/RPMS/ruby-devel-1.8.0-4.2.92mdk.i586.rpm c7b7d678f4cb76b79996380f2f04a747 9.2/RPMS/ruby-doc-1.8.0-4.2.92mdk.i586.rpm c613fe92253fdfe9f581eb0af17f75d1 9.2/RPMS/ruby-tk-1.8.0-4.2.92mdk.i586.rpm 95e4882f99900e40a8e9680ecf5d08e1 9.2/SRPMS/ruby-1.8.0-4.2.92mdk.src.rpm Mandrakelinux 9.2/AMD64: c4d3b440f5c11465b8d496bf4f531df4 amd64/9.2/RPMS/ruby-1.8.0-4.2.92mdk.amd64.rpm ca6c4b4aac7aa3d091ef62f0cefa3820 amd64/9.2/RPMS/ruby-devel-1.8.0-4.2.92mdk.amd64.rpm ce56f743c39e354939ff4ca43f288d14 amd64/9.2/RPMS/ruby-doc-1.8.0-4.2.92mdk.amd64.rpm 096e63f35549468726f50ffe2bfa28e7 amd64/9.2/RPMS/ruby-tk-1.8.0-4.2.92mdk.amd64.rpm 95e4882f99900e40a8e9680ecf5d08e1 amd64/9.2/SRPMS/ruby-1.8.0-4.2.92mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================