Alerts This Week
Warning Icon 1 700
Alerts This Week
Warning Icon 1 700

Ubuntu 12.04 LTS USN-1582-1 Moderate: RubyGems Malicious File Risks

Calendar Sep 26, 2012 User Avatar LinuxSecurity Advisories
1 - 2 min read
Ubuntu Large Esm H500
Topics%20covered

Topics Covered

security advisory Ubuntu package management man in the middle malicious files SSL issues RubyGems
RubyGems could be made to download and install malicious gem files. 
=========================================================================Ubuntu Security Notice USN-1582-1
September 26, 2012

rubygems vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

RubyGems could be made to download and install malicious gem files.

Software Description:
- rubygems: package management framework for Ruby libraries/applications

Details:

John Firebaugh discovered that the RubyGems remote gem fetcher did not properly
verify SSL certificates. A remote attacker could exploit this to perform a man
in the middle attack to alter gem files being downloaded for installation.
(CVE-2012-2126)

John Firebaugh discovered that the RubyGems remote gem fetcher allowed
redirection from HTTPS to HTTP. A remote attacker could exploit this to perform
a man in the middle attack to alter gem files being downloaded for
installation. (CVE-2012-2125)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
  rubygems                        1.8.15-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-1582-1
  CVE-2012-2125, CVE-2012-2126

Package Information:
  https://launchpad.net/ubuntu/+source/rubygems/1.8.15-1ubuntu0.1

Ubuntu 12.04 LTS USN-1582-1 Moderate: RubyGems Malicious File Risks

ubuntu
Calendar Grey September 26, 2012
Dist Ubuntu Esm H88
Security Advisory: RubyGems has identified vulnerabilities that may lead to harmful file installations. Ubuntu 12.04 LTS users are urged to follow update guidelines to safeguard their systems
RubyGems could be made to download and install malicious gem files.

Summary

Topics%20covered

Topics Covered

security advisory Ubuntu package management man in the middle malicious files SSL issues RubyGems

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: rubygems 1.8.15-1ubuntu0.1 In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-1582-1

CVE-2012-2125, CVE-2012-2126

Severity
important
Lowest
Low
Medium
High
Critical

September 26, 2012

Topics%20covered

Topics Covered

security advisory Ubuntu package management man in the middle malicious files SSL issues RubyGems

Package Information

https://launchpad.net/ubuntu/+source/rubygems/1.8.15-1ubuntu0.1

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here