Explore top 10 tips to secure your open-source projects now. Read More
×
Date: Thu, 17 Oct 2013 19:26:46 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific LinuxFrom: Pat Riehecky Subject: Security ERRATA Moderate: rubygems on SL6.x (noarch) MIME-Version: 1.0 Synopsis: Moderate: rubygems security update Advisory ID: SLSA-2013:1441-1 Issue Date: 2013-10-17 CVE Numbers: CVE-2012-2125 CVE-2012-2126 CVE-2013-4287 -- It was found that RubyGems did not verify SSL connections. This could lead to man-in-the-middle attacks. (CVE-2012-2126) It was found that, when using RubyGems, the connection could be redirected from HTTPS to HTTP. This could lead to a user believing they are installing a gem via HTTPS, when the connection may have been silently downgraded to HTTP. (CVE-2012-2125) It was discovered that the rubygems API validated version strings using an unsafe regular expression. An application making use of this API to process a version string from an untrusted source could be vulnerable to a denial of service attack through CPU exhaustion. (CVE-2013-4287) -- SL6 noarch rubygems-1.3.7-4.el6_4.noarch.rpm - Scientific Linux Development Team