Bug 9300 - ruby new security issue CVE-2013-1821
: ruby new security issue CVE-2013-1821
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/542087/
: has_procedure mga2-32-ok mga2-64-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-08 19:54 CET by David Walser
Modified: 2013-07-26 17:38 CEST (History)
3 users (show)

See Also:
Source RPM: ruby-1.8.7.p358-1.1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-03-08 19:54:58 CET
RedHat has issued an advisory on March 7:
https://rhn.redhat.com/errata/RHSA-2013-0612.html

This was previously fixed in Cauldron in Bug 9160.

Patched package uploaded for Mageia 2.

Patches added in Mageia 1 SVN.

Advisory:
========================

Updated ruby packages fix security vulnerability:

It was discovered that Ruby's REXML library did not properly restrict XML
entity expansion. An attacker could use this flaw to cause a denial of
service by tricking a Ruby application using REXML to read text nodes from
specially-crafted XML content, which will result in REXML consuming large
amounts of system memory (CVE-2013-1821).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821
http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/
https://rhn.redhat.com/errata/RHSA-2013-0612.html
========================

Updated packages in core/updates_testing:
========================
ruby-1.8.7.p358-1.2.mga2
ruby-doc-1.8.7.p358-1.2.mga2
ruby-devel-1.8.7.p358-1.2.mga2
ruby-tk-1.8.7.p358-1.2.mga2

from ruby-1.8.7.p358-1.2.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-03-12 12:57:25 CET
Testing with irb and some ruby-tk

require 'tk'
root = TkRoot.new() { title "Hello, world!" }
Tk.mainloop()
Comment 2 claire robinson 2013-03-12 13:05:48 CET
Testing complete mga2 32
Comment 3 claire robinson 2013-03-12 13:11:50 CET
Testing complete mga2 64

Validating

Advisory & srpm in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 4 D Morgan 2013-03-16 01:50:41 CET
update pushed : 
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0092
Comment 5 David Walser 2013-07-26 17:38:27 CEST
*** Bug 10844 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.