Rapid7 Vulnerability & Exploit Database

RHSA-2009:1140: ruby security update

Back to Search

RHSA-2009:1140: ruby security update

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
02/20/2009
Created
07/25/2018
Added
09/12/2009
Modified
07/04/2017

Description

Ruby is an extensible, interpreted, object-oriented, scripting language. Ithas features to process text files and to do system management tasks.A flaw was found in the way the Ruby POP module processed certain APOPauthentication requests. By sending certain responses when the Ruby APOPmodule attempted to authenticate using APOP against a POP server, a remoteattacker could, potentially, acquire certain portions of a user'sauthentication credentials. (CVE-2007-1558)It was discovered that Ruby did not properly check the return value whenverifying X.509 certificates. This could, potentially, allow a remoteattacker to present an invalid X.509 certificate, and have Ruby treat it asvalid. (CVE-2009-0642)A flaw was found in the way Ruby converted BigDecimal objects to Floatnumbers. If an attacker were able to provide certain input for theBigDecimal object converter, they could crash an application using thisclass. (CVE-2009-1904)All Ruby users should upgrade to these updated packages, which containbackported patches to resolve these issues.

Solution(s)

  • redhat-upgrade-irb
  • redhat-upgrade-ruby
  • redhat-upgrade-ruby-devel
  • redhat-upgrade-ruby-docs
  • redhat-upgrade-ruby-irb
  • redhat-upgrade-ruby-libs
  • redhat-upgrade-ruby-mode
  • redhat-upgrade-ruby-rdoc
  • redhat-upgrade-ruby-ri
  • redhat-upgrade-ruby-tcltk

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;