Red Hat: 2013:1203-01: rubygems: Moderate Advisory

    Date04 Sep 2013
    CategoryRed Hat
    1171
    Posted ByJoe Shakespeare
    An updated rubygems package that fixes two security issues is now available for Red Hat OpenShift Enterprise 1.2.2. The Red Hat Security Response Team has rated this update as having moderate [More...]
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: rubygems security update
    Advisory ID:       RHSA-2013:1203-01
    Product:           Red Hat OpenShift Enterprise
    Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-1203.html
    Issue date:        2013-09-04
    CVE Names:         CVE-2012-2125 CVE-2012-2126 
    =====================================================================
    
    1. Summary:
    
    An updated rubygems package that fixes two security issues is now available
    for Red Hat OpenShift Enterprise 1.2.2.
    
    The Red Hat Security Response Team has rated this update as having moderate
    security impact. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available from the CVE link in
    the References section.
    
    2. Relevant releases/architectures:
    
    RHOSE Client 1.2 - noarch
    RHOSE Infrastructure 2.1 - noarch
    Red Hat OpenShift Enterprise Node - noarch
    
    3. Description:
    
    RubyGems is the Ruby standard for publishing and managing third-party
    libraries.
    
    It was found that, when using RubyGems, the connection could be redirected
    from HTTPS to HTTP. This could lead to a user believing they are installing
    a gem via HTTPS, when the connection may have been silently downgraded to
    HTTP. (CVE-2012-2125)
    
    It was found that RubyGems did not verify SSL connections. This could lead
    to man-in-the-middle attacks. (CVE-2012-2126)
    
    All users of Red Hat OpenShift Enterprise 1.2.2 are advised to upgrade to
    this updated package, which corrects these issues.
    
    4. Solution:
    
    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.
    
    This update is available via the Red Hat Network. Details on how to
    use the Red Hat Network to apply this update are available at
    https://access.redhat.com/site/articles/11258
    
    5. Bugs fixed (http://bugzilla.redhat.com/):
    
    814718 - CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23
    
    6. Package List:
    
    RHOSE Client 1.2:
    
    Source:
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygems-1.8.24-4.el6op.src.rpm
    
    noarch:
    rubygems-1.8.24-4.el6op.noarch.rpm
    
    RHOSE Infrastructure 2.1:
    
    Source:
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygems-1.8.24-4.el6op.src.rpm
    
    noarch:
    rubygems-1.8.24-4.el6op.noarch.rpm
    
    Red Hat OpenShift Enterprise Node:
    
    Source:
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygems-1.8.24-4.el6op.src.rpm
    
    noarch:
    rubygems-1.8.24-4.el6op.noarch.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/#package
    
    7. References:
    
    https://www.redhat.com/security/data/cve/CVE-2012-2125.html
    https://www.redhat.com/security/data/cve/CVE-2012-2126.html
    https://access.redhat.com/security/updates/classification/#moderate
    
    8. Contact:
    
    The Red Hat security contact is .  More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2013 Red Hat, Inc.
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    12
    radio
    [{"id":"53","title":"Yes","votes":"4","type":"x","order":"1","pct":80,"resources":[]},{"id":"54","title":"No","votes":"1","type":"x","order":"2","pct":20,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.