Upstream has issued an advisory today (November 22):
The issue is fixed upstream for 2.0.x and 1.9.x, which we can update for Cauldron and Mageia 3:
Ruby 1.8.x (Mageia 2) is also affected, but there is no fix available at this time, and due to the EOL, we will not be able to provide a fix for Mageia 2.
Steps to Reproduce:
I've already pushed the updated package into cauldron. Let this package for mga3 only.
OK, fixed with a patch in ruby-2.0.0.p247-7.mga4 in Cauldron.
RedHat has issued an advisory for this on November 25:
Apparently Funda built the update for this for Mageia 3 and I never noticed.
Updated ruby packages fix security vulnerability:
Charlie Somerville discovered that Ruby incorrectly handled floating point
number conversion. An attacker could possibly use this issue with an
application that converts text to floating point numbers to cause the
application to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2013-4164).
Updated packages in core/updates_testing:
Just testing that ruby is working.
Testing complete on Mageia 3 i586 and x86_64 using the script from
Someone from the sysadmin team please push 11734.adv to updates.