Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

Red Hat OpenShift 2.0.2 RHSA-2014:0207-01 Moderate: Rubygems DoS Issue

red hat
Calendar Grey February 24, 2014
Dist Redhat Esm H88
Red Hat has published a security alert concerning rubygems, highlighting a moderate vulnerability that affects OpenShift version 2.0.2.
An updated rubygems package that fixes one security issue is now available for Red Hat OpenShift Enterprise 2.0.2

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258

Summary

RubyGems is the Ruby standard for publishing and managing third-party libraries.
It was discovered that the rubygems API validated version strings using an unsafe regular expression. An application making use of this API to process a version string from an untrusted source could be vulnerable to a denial of service attack through CPU exhaustion. (CVE-2013-4287)
Red Hat would like to thank Rubygems upstream for reporting this issue. Upstream acknowledges Damir Sharipov as the original reporter.
All users of Red Hat OpenShift Enterprise 2.0.2 are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

Topics%20covered

Topics Covered

security advisory moderate denial of service software patch Red Hat OpenShift rubygems

References

https://access.redhat.com/security/cve/CVE-2013-4287 https://access.redhat.com/security/updates/classification/#moderate

Package List

RHOSE Client 2.0:
Source:
noarch: rubygems-1.8.24-5.el6op.noarch.rpm rubygems-devel-1.8.24-5.el6op.noarch.rpm
RHOSE Infrastructure 2.0:
Source:
noarch: rubygems-1.8.24-5.el6op.noarch.rpm rubygems-devel-1.8.24-5.el6op.noarch.rpm
RHOSE Node 2.0:
Source:
noarch: rubygems-1.8.24-5.el6op.noarch.rpm rubygems-devel-1.8.24-5.el6op.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package


Advisory ID: RHSA-2014:0207-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2014:0207.html
Issue date: 2014-02-24

Topic

An updated rubygems package that fixes one security issue is now availablefor Red Hat OpenShift Enterprise 2.0.2.The Red Hat Security Response Team has rated this update as having Moderatesecurity impact. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available from the CVE link inthe References section.

Topics%20covered

Topics Covered

security advisory moderate denial of service software patch Red Hat OpenShift rubygems

Relevant Releases Architectures

RHOSE Client 2.0 - noarch

RHOSE Infrastructure 2.0 - noarch

RHOSE Node 2.0 - noarch

Bugs Fixed

1002364 - CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here