Rapid7 Vulnerability & Exploit Database

RHSA-2008:0897: ruby security update

Back to Search

RHSA-2008:0897: ruby security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
08/12/2008
Created
07/25/2018
Added
02/22/2009
Modified
07/04/2017

Description

Ruby is an interpreted scripting language for quick and easyobject-oriented programming.The Ruby DNS resolver library, resolv.rb, used predictable transaction IDsand a fixed source port when sending DNS requests. A remote attacker coulduse this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905)Ruby's XML document parsing module (REXML) was prone to a denial of serviceattack via XML documents with large XML entity definitions recursion. Aspecially-crafted XML file could cause a Ruby application using the REXMLmodule to use an excessive amount of CPU and memory. (CVE-2008-3790)An insufficient "taintness" check flaw was discovered in Ruby's DL module,which provides direct access to the C language functions. An attacker coulduse this flaw to bypass intended safe-level restrictions by callingexternal C functions with the arguments from an untrusted tainted inputs.(CVE-2008-3657)A denial of service flaw was discovered in WEBrick, Ruby's HTTP servertoolkit. A remote attacker could send a specially-crafted HTTP request to aWEBrick server that would cause the server to use an excessive amount ofCPU time. (CVE-2008-3656)A number of flaws were found in the safe-level restrictions in Ruby. Itwas possible for an attacker to create a carefully crafted malicious scriptthat can allow the bypass of certain safe-level restrictions. (CVE-2008-3655)A denial of service flaw was found in Ruby's regular expression engine. Ifa Ruby script tried to process a large amount of data via a regularexpression, it could cause Ruby to enter an infinite-loop and crash.(CVE-2008-3443)Users of ruby should upgrade to these updated packages, which containbackported patches to resolve these issues.

Solution(s)

  • redhat-upgrade-irb
  • redhat-upgrade-ruby
  • redhat-upgrade-ruby-devel
  • redhat-upgrade-ruby-docs
  • redhat-upgrade-ruby-irb
  • redhat-upgrade-ruby-libs
  • redhat-upgrade-ruby-mode
  • redhat-upgrade-ruby-rdoc
  • redhat-upgrade-ruby-ri
  • redhat-upgrade-ruby-tcltk

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;