Jump to content
Compatible Support Forums
Sign in to follow this  
news

[SECURITY] [DLA 263-1] ruby1.9.1 security update

Recommended Posts

Package : ruby1.9.1

Version : 1.9.2.0-2+deb6u5

CVE ID : CVE-2012-5371 CVE-2013-0269

Debian Bug : 693024 700471

 

Two vulnerabilities were identified in the Ruby language interpreter,

version 1.9.1.

 

CVE-2012-5371

 

Jean-Philippe Aumasson identified that Ruby computed hash values

without properly restricting the ability to trigger hash collisions

predictably, allowing context-dependent attackers to cause a denial

of service (CPU consumption). This is a different vulnerability than

CVE-2011-4815.

 

CVE-2013-0269

 

Thomas Hollstegge and Ben Murphy found that the JSON gem for Ruby

allowed remote attackers to cause a denial of service (resource

consumption) or bypass the mass assignment protection mechanism via

a crafted JSON document that triggers the creation of arbitrary Ruby

symbols or certain internal objects.

 

For the squeeze distribution, theses vulnerabilities have been fixed in

version 1.9.2.0-2+deb6u5 of ruby1.9.1. We recommend that you upgrade

your ruby1.9.1 package.

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×