Upstream has issued an advisory today (November 22): https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ The issue is fixed upstream for 2.0.x and 1.9.x, which we can update for Cauldron and Mageia 3: https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/ https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ Ruby 1.8.x (Mageia 2) is also affected, but there is no fix available at this time, and due to the EOL, we will not be able to provide a fix for Mageia 2. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Blocks: (none) => 11726
I've already pushed the updated package into cauldron. Let this package for mga3 only.
Version: Cauldron => 3Blocks: 11726 => (none)Source RPM: ruby-2.0.0.p247-6.mga4.src.rpm => rubyWhiteboard: MGA3TOO => (none)
OK, fixed with a patch in ruby-2.0.0.p247-7.mga4 in Cauldron.
Source RPM: ruby => ruby-1.9.3.p448-1.mga3.src.rpm
RedHat has issued an advisory for this on November 25: https://rhn.redhat.com/errata/RHSA-2013-1764.html
URL: (none) => http://lwn.net/Vulnerabilities/575040/
Apparently Funda built the update for this for Mageia 3 and I never noticed. Advisory: ======================== Updated ruby packages fix security vulnerability: Charlie Somerville discovered that Ruby incorrectly handled floating point number conversion. An attacker could possibly use this issue with an application that converts text to floating point numbers to cause the application to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2013-4164). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164 https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ http://www.ubuntu.com/usn/usn-2035-1 ======================== Updated packages in core/updates_testing: ======================== ruby-1.9.3.p484-1.mga3 libruby1.9-1.9.3.p484-1.mga3 ruby-doc-1.9.3.p484-1.mga3 ruby-devel-1.9.3.p484-1.mga3 ruby-tk-1.9.3.p484-1.mga3 ruby-irb-1.9.3.p484-1.mga3 from ruby-1.9.3.p484-1.mga3.src.rpm
CC: (none) => fundawangAssignee: fundawang => qa-bugsSeverity: normal => critical
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Just testing that ruby is working. Testing complete on Mageia 3 i586 and x86_64 using the script from https://bugs.mageia.org/show_bug.cgi?id=10637#c7 Someone from the sysadmin team please push 11734.adv to updates.
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0003.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED