There is a denial of service and unsafe object creation vulnerability in the json gem. This vulnerability has been assigned the CVE identifier CVE-2013-0269. When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. The ruby-json package has been updated to latest version 1.5.5 to fix this vulnerability.
Blocks: (none) => 6487
See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269 http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
CC: (none) => luigiwalser
Upstream says the following: Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX Funda, is this also bundled with ruby package?
Severity: normal => major
(In reply to comment #2) > Upstream says the following: > Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX > > Funda, is this also bundled with ruby package? Yes, it is bundled. But it does not affect our packages. We are not generating any json related packages with ruby source.
Adding feedback tag until chiliproject, redmin & teambox are updated
Whiteboard: (none) => feedback
Ubuntu has issued an advisory for this today (Feburary 21): http://www.ubuntu.com/usn/usn-1733-1/ from http://lwn.net/Vulnerabilities/539500/
$ urpmf --requires `urpmq --whatrequires ruby-json` | grep json\\[== ruby-json-doc:ruby-json[== 1.5.1-1.mga1] Shows only ruby-json-doc which is updated in core/updates_testing so we should test and push this separately from ruby-rails.
Whiteboard: feedback => (none)
# urpmi ruby-json A requested package cannot be installed: ruby-json-1.5.5-1.mga2.x86_64 (due to unsatisfied rubygem(json_pure)[== 1.5.5]) More dependency issues :\
Assigning back to you Funda, sorry. Please reassign to QA when you've had a chance to look at this. Ruby seems generally quite broken though in mga2. # urpmi ruby-json To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") ruby-json 1.5.1 1.mga1 i586 ruby-json_pure 1.5.1 1.mga1 noarch 300KB of additional disk space will be used. 86KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y # ecupdt Enabling Core Updates Testing # urpmi ruby-json ruby-json_pure Package ruby-json_pure-1.5.1-1.mga1.noarch is already installed A requested package cannot be installed: ruby-json-1.5.5-1.mga2.i586 (due to unsatisfied rubygem(json_pure)[== 1.5.5]) Continue installation anyway? (Y/n) n
CC: (none) => qa-bugsAssignee: qa-bugs => fundawang
Closing this now due to Mageia 2 EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Status: NEW => RESOLVEDResolution: (none) => OLDQA Contact: (none) => security