[Secure-testing-team] Bug#494402: Multiple vulnerabilities found

Sat Aug 9 03:34:49 UTC 2008

Package: ruby1.9
Version: 1.9.0.2-4
Severity: grave
Tags: security

The upstream has announced that they fixed multiple vulnerabilities[1].

* Several vulnerabilities in safe level
* DoS vulnerability in WEBrick
* Lack of taintness check in dl
* DNS spoofing vulnerability in resolv.rb (CVE-2008-1447[2])

The following pacakges in Debian are affected:

  * ruby1.9
    - unstable: 1.9.0.2-5
    - testing:  1.9.0.2-4
    - stable:   1.9.0+20060609-1etch2

[1] http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

Regards,
Daigo

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP (charmap=EUC-JP)
Shell: /bin/sh linked to /bin/bash

Versions of packages ruby1.9 depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libruby1.9                    1.9.0.2-4  Libraries necessary to run Ruby 1.

ruby1.9 recommends no packages.

Versions of packages ruby1.9 suggests:
ii  rdoc1.9                       1.9.0.2-4  Generate documentation from Ruby s
ii  ri1.9                         1.9.0.2-4  Ruby Interactive reference (for Ru
ii  ruby1.9-examples              1.9.0.2-4  Examples for Ruby 1.9
ii  rubygems1.9                   1.2.0-1    package management framework for R

-- no debconf information