Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 591
Alerts This Week
Warning Icon 1 591

Scientific Linux: CVE-2011-2686 Moderate: Ruby Security Issues

Scientific Large Esm H446
Moderate: ruby security update
Date: Mon, 30 Jan 2012 08:37:07 -0600
Reply-To: Pat Riehecky 
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Organization: Fermilab
Subject: Informative Announcement for SL4.x Less Than 1 Month End Of Life
 Notice
MIME-Version: 1.0

In accordance with our Upstream Vendor's Errata Support Policy, the
regular life-cycle of Scientific Linux 4 will end in February 2012.

After this date, The Upstream Vendor will discontinue the regular update
services. We must follow them in this matter. Therefore, new bug fix,
enhancement, and
security errata updates will no longer be available for Scientific Linux
4 after the
End of Life date. They will not be providing updates and so we cannot
provide them.

Anyone still running production workloads on Scientific Linux 4 are advised
to begin upgrading to Scientific Linux 5 or 6. Upstream recommends a
reinstall and not an upgrade. Please be advised that we also believe
that a clean
reinstall is the preferred method for moving from Scientific Linux 4 to
a newer version.

We will continue to provide updates as they become available to us for
Scientific Linux 4.

Again, this is a reminder of the coming end of life for Scientific Linux
4 in February 2012.

- Scientific Linux Development Team
Date: Mon, 30 Jan 2012 15:54:11 -0600
Reply-To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Sender: Security Errata for Scientific Linux
 
From: This email address is being protected from spambots. You need JavaScript enabled to view it.
Subject: Security ERRATA Moderate: ruby on SL4.x, SL5.x i386/x86_64
Comments: To: This email address is being protected from spambots. You need JavaScript enabled to view it.

Synopsis: Moderate: ruby security update
Issue Date: 2012-01-30
CVE Numbers: CVE-2011-2686
 CVE-2011-4815

Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to do system management tasks.

A denial of service flaw was found in the implementation of associative
arrays (hashes) in Ruby. An attacker able to supply a large number of
inputs to a Ruby application (such as HTTP POST request parameters sent to
a web application) that are used as keys when inserting data into an array
could trigger multiple hash function collisions, making array operations
take an excessive amount of CPU time. To mitigate this issue, randomization
has been added to the hash function to reduce the chance of an attacker
successfully causing intentional collisions. (CVE-2011-4815)

It was found that Ruby did not reinitialize the PRNG (pseudorandom number
generator) after forking a child process. This could eventually lead to the
PRNG returning the same result twice. An attacker keeping track of the
values returned by one child process could use this flaw to predict the
values the PRNG would return in other child processes (as long as the
parent process persisted). (CVE-2011-3009)

All users of ruby are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues.

SL4:
 i386
 irb-1.8.1-18.el4.i386.rpm
 ruby-1.8.1-18.el4.i386.rpm
 ruby-debuginfo-1.8.1-18.el4.i386.rpm
 ruby-devel-1.8.1-18.el4.i386.rpm
 ruby-docs-1.8.1-18.el4.i386.rpm
 ruby-libs-1.8.1-18.el4.i386.rpm
 ruby-mode-1.8.1-18.el4.i386.rpm
 ruby-tcltk-1.8.1-18.el4.i386.rpm
 x86_64
 irb-1.8.1-18.el4.x86_64.rpm
 ruby-1.8.1-18.el4.x86_64.rpm
 ruby-debuginfo-1.8.1-18.el4.i386.rpm
 ruby-debuginfo-1.8.1-18.el4.x86_64.rpm
 ruby-devel-1.8.1-18.el4.x86_64.rpm
 ruby-docs-1.8.1-18.el4.x86_64.rpm
 ruby-libs-1.8.1-18.el4.i386.rpm
 ruby-libs-1.8.1-18.el4.x86_64.rpm
 ruby-mode-1.8.1-18.el4.x86_64.rpm
 ruby-tcltk-1.8.1-18.el4.x86_64.rpm
SL5:
 i386
 ruby-1.8.5-22.el5_7.1.i386.rpm
 ruby-debuginfo-1.8.5-22.el5_7.1.i386.rpm
 ruby-devel-1.8.5-22.el5_7.1.i386.rpm
 ruby-docs-1.8.5-22.el5_7.1.i386.rpm
 ruby-irb-1.8.5-22.el5_7.1.i386.rpm
 ruby-libs-1.8.5-22.el5_7.1.i386.rpm
 ruby-mode-1.8.5-22.el5_7.1.i386.rpm
 ruby-rdoc-1.8.5-22.el5_7.1.i386.rpm
 ruby-ri-1.8.5-22.el5_7.1.i386.rpm
 ruby-tcltk-1.8.5-22.el5_7.1.i386.rpm
 x86_64
 ruby-1.8.5-22.el5_7.1.x86_64.rpm
 ruby-debuginfo-1.8.5-22.el5_7.1.i386.rpm
 ruby-debuginfo-1.8.5-22.el5_7.1.x86_64.rpm
 ruby-devel-1.8.5-22.el5_7.1.i386.rpm
 ruby-devel-1.8.5-22.el5_7.1.x86_64.rpm
 ruby-docs-1.8.5-22.el5_7.1.x86_64.rpm
 ruby-irb-1.8.5-22.el5_7.1.x86_64.rpm
 ruby-libs-1.8.5-22.el5_7.1.i386.rpm
 ruby-libs-1.8.5-22.el5_7.1.x86_64.rpm
 ruby-mode-1.8.5-22.el5_7.1.x86_64.rpm
 ruby-rdoc-1.8.5-22.el5_7.1.x86_64.rpm
 ruby-ri-1.8.5-22.el5_7.1.x86_64.rpm
 ruby-tcltk-1.8.5-22.el5_7.1.x86_64.rpm

- Scientific Linux Development Team