[Secure-testing-team] Bug#487239: ruby1.9: Arbitrary code execution vulnerability and so on

Daigo Moriwaki daigo at debian.org
Fri Jun 20 13:53:16 UTC 2008


Package: ruby1.9
Version: 1.9.0.1-5
Severity: grave
Tags: security
Justification: user security hole


The upstream has announced multiple vulnerabilities in Ruby. They may lead
to a denial of service (DoS) condition or allow execution of arbitrary code.
  * CVE-2008-2662
  * CVE-2008-2663
  * CVE-2008-2725
  * CVE-2008-2726
  * CVE-2008-2727
  * CVE-2008-2728
  * CVE-2008-2664

Vulnerable versions

1.8 series
  * 1.8.4 and all prior versions
  * 1.8.5-p230 and all prior versions
  * 1.8.6-p229 and all prior versions
  * 1.8.7-p21 and all prior versions

1.9 series
  * 1.9.0-1 and all prior versions

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP (charmap=EUC-JP)
Shell: /bin/sh linked to /bin/bash

Versions of packages ruby1.9 depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libruby1.9                    1.9.0.1-5  Libraries necessary to run Ruby 1.

ruby1.9 recommends no packages.

-- no debconf information





More information about the Secure-testing-team mailing list