RedHat has issued an advisory on March 7: https://rhn.redhat.com/errata/RHSA-2013-0612.html This was previously fixed in Cauldron in Bug 9160. Patched package uploaded for Mageia 2. Patches added in Mageia 1 SVN. Advisory: ======================== Updated ruby packages fix security vulnerability: It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory (CVE-2013-1821). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821 http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/ https://rhn.redhat.com/errata/RHSA-2013-0612.html ======================== Updated packages in core/updates_testing: ======================== ruby-1.8.7.p358-1.2.mga2 ruby-doc-1.8.7.p358-1.2.mga2 ruby-devel-1.8.7.p358-1.2.mga2 ruby-tk-1.8.7.p358-1.2.mga2 from ruby-1.8.7.p358-1.2.mga2.src.rpm Reproducible: Steps to Reproduce:
Testing with irb and some ruby-tk require 'tk' root = TkRoot.new() { title "Hello, world!" } Tk.mainloop()
Testing complete mga2 32
Whiteboard: (none) => has_procedure mga2-32-ok
Testing complete mga2 64 Validating Advisory & srpm in comment 0 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok mga2-64-ok
update pushed : https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0092
Status: NEW => RESOLVEDCC: (none) => dmorganecResolution: (none) => FIXED
*** Bug 10844 has been marked as a duplicate of this bug. ***
CC: (none) => oe