From security@mandriva.com Fri Oct 21 03:17:38 2005 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Fri, 21 Oct 2005 00:26:08 -0600 Subject: [Full-disclosure] MDKSA-2005:191 - Updated ruby packages fix safe level and taint flag protections vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: ruby Advisory ID: MDKSA-2005:191 Date: October 20th, 2005 Affected versions: 10.1, 10.2, 2006.0, Corporate 3.0, Corporate Server 2.1 ______________________________________________________________________ Problem Description: Yutaka Oiwa discovered a bug in Ruby, the interpreter for the object-oriented scripting language, that can cause illegal program code to bypass the safe level and taint flag protections check and be executed. The updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2337 ______________________________________________________________________ Updated Packages: Mandrivalinux 10.1: 013e98f0b0a09acd8c48b5d438c4e151 10.1/RPMS/ruby-1.8.1-4.4.101mdk.i586.rpm 479e965b6302bd0e74b8699f0a7b9f46 10.1/RPMS/ruby-devel-1.8.1-4.4.101mdk.i586.rpm b5654a6d4bab0b5a33e3e65fdb8bab52 10.1/RPMS/ruby-doc-1.8.1-4.4.101mdk.i586.rpm 2294bfd6f57ebc2cc6eb353e4a62a4b5 10.1/RPMS/ruby-tk-1.8.1-4.4.101mdk.i586.rpm 5407dfbbb45af31d3ffa53f120773f77 10.1/SRPMS/ruby-1.8.1-4.4.101mdk.src.rpm Mandrivalinux 10.1/X86_64: b8347f871a62a176f049cbe010e298ce x86_64/10.1/RPMS/ruby-1.8.1-4.4.101mdk.x86_64.rpm b9ac7ecba0bc317869795146cf3cc5a4 x86_64/10.1/RPMS/ruby-devel-1.8.1-4.4.101mdk.x86_64.rpm 7803195d658cdf63324f8bf54753018e x86_64/10.1/RPMS/ruby-doc-1.8.1-4.4.101mdk.x86_64.rpm 0f6cb61b12453673ef4a7fb99b6069af x86_64/10.1/RPMS/ruby-tk-1.8.1-4.4.101mdk.x86_64.rpm 5407dfbbb45af31d3ffa53f120773f77 x86_64/10.1/SRPMS/ruby-1.8.1-4.4.101mdk.src.rpm Mandrivalinux 10.2: 8dacd4429ab40932585f32c446c485c4 10.2/RPMS/ruby-1.8.2-6.2.102mdk.i586.rpm 9bd632d447a4181d23df23b201ed0449 10.2/RPMS/ruby-devel-1.8.2-6.2.102mdk.i586.rpm 2791a34503afa5961322eaf5fc333bd4 10.2/RPMS/ruby-doc-1.8.2-6.2.102mdk.i586.rpm 049930c32634b61b84d9dee864e61aa9 10.2/RPMS/ruby-tk-1.8.2-6.2.102mdk.i586.rpm dc977cb9732027526dbd44560782efaa 10.2/SRPMS/ruby-1.8.2-6.2.102mdk.src.rpm Mandrivalinux 10.2/X86_64: 9f6f824fa7aded95ede337b87be9f755 x86_64/10.2/RPMS/ruby-1.8.2-6.2.102mdk.x86_64.rpm 0ad81eece9fc0407edeaadc5022968ea x86_64/10.2/RPMS/ruby-doc-1.8.2-6.2.102mdk.x86_64.rpm 0cbd8c37bb4aea5c10cda8365f7ed24f x86_64/10.2/RPMS/ruby-devel-1.8.2-6.2.102mdk.x86_64.rpm 3f09e472b1cecb61a8678d020011950c x86_64/10.2/RPMS/ruby-tk-1.8.2-6.2.102mdk.x86_64.rpm dc977cb9732027526dbd44560782efaa x86_64/10.2/SRPMS/ruby-1.8.2-6.2.102mdk.src.rpm Mandrivalinux 2006.0: c06382cc5f1a7fc8cc2c40b9711faaf7 2006.0/RPMS/ruby-1.8.2-7.1.20060mdk.i586.rpm 5e9055ac81c54dd7f3890545218e4c45 2006.0/RPMS/ruby-devel-1.8.2-7.1.20060mdk.i586.rpm cebf1739bb3556133869e7b7e9a00d0a 2006.0/RPMS/ruby-doc-1.8.2-7.1.20060mdk.i586.rpm 98c29d442e747bf59eb7ea9e6827f71b 2006.0/RPMS/ruby-tk-1.8.2-7.1.20060mdk.i586.rpm 097adecc2dd5717d2a680022e45ff0cb 2006.0/SRPMS/ruby-1.8.2-7.1.20060mdk.src.rpm Mandrivalinux 2006.0/X86_64: b3bfdeb9f7cfa57a7fa9c3c7f596d56e x86_64/2006.0/RPMS/ruby-1.8.2-7.1.20060mdk.x86_64.rpm 1cb9a200ad2c5164e8b7eff06753af39 x86_64/2006.0/RPMS/ruby-devel-1.8.2-7.1.20060mdk.x86_64.rpm cff404480732c672d36ca80b8ca1a4ec x86_64/2006.0/RPMS/ruby-doc-1.8.2-7.1.20060mdk.x86_64.rpm 01bb92434b21127244b0fcd452a06251 x86_64/2006.0/RPMS/ruby-tk-1.8.2-7.1.20060mdk.x86_64.rpm 097adecc2dd5717d2a680022e45ff0cb x86_64/2006.0/SRPMS/ruby-1.8.2-7.1.20060mdk.src.rpm Corporate Server 2.1: 2aa9219b24bbcf8673df418eb373881b corporate/2.1/RPMS/ruby-devel-1.6.7-5.3.C21mdk.i586.rpm e5b4282401bf2c0794d14b52d7c6c319 corporate/2.1/RPMS/ruby-1.6.7-5.3.C21mdk.i586.rpm e72d411868d4ca8d7a05ba2e0baee926 corporate/2.1/RPMS/ruby-doc-1.6.7-5.3.C21mdk.i586.rpm c795d629e28719f7fe1e8a1619805fdc corporate/2.1/RPMS/ruby-tk-1.6.7-5.3.C21mdk.i586.rpm 61457cb16d1b24e1c31a10c687af94ef corporate/2.1/SRPMS/ruby-1.6.7-5.3.C21mdk.src.rpm Corporate Server 2.1/X86_64: d477751b1302ec7c5f271fe9597216fa x86_64/corporate/2.1/RPMS/ruby-1.6.7-5.3.C21mdk.x86_64.rpm b7ac888d722dc6fb8c5b9b9207e34ea3 x86_64/corporate/2.1/RPMS/ruby-devel-1.6.7-5.3.C21mdk.x86_64.rpm 27a29077b76158382c514b965fdf614f x86_64/corporate/2.1/RPMS/ruby-doc-1.6.7-5.3.C21mdk.x86_64.rpm 0e4752d11d67acdabc4561c37c41511e x86_64/corporate/2.1/RPMS/ruby-tk-1.6.7-5.3.C21mdk.x86_64.rpm 61457cb16d1b24e1c31a10c687af94ef x86_64/corporate/2.1/SRPMS/ruby-1.6.7-5.3.C21mdk.src.rpm Corporate 3.0: 704c24801697727ef0085d6408cc9d11 corporate/3.0/RPMS/ruby-1.8.1-1.4.C30mdk.i586.rpm 6a89e560b9f9ce68ed352cc3409ebf22 corporate/3.0/RPMS/ruby-devel-1.8.1-1.4.C30mdk.i586.rpm cfcc4c2bf95f4ae6b3a0fb7013b25618 corporate/3.0/RPMS/ruby-doc-1.8.1-1.4.C30mdk.i586.rpm 482e8dcdbedcac577f91c9133647c3cc corporate/3.0/RPMS/ruby-tk-1.8.1-1.4.C30mdk.i586.rpm a05a8da48327c79254cabaf42a7002d3 corporate/3.0/SRPMS/ruby-1.8.1-1.4.C30mdk.src.rpm Corporate 3.0/X86_64: 416a775e25eca23fe89314e4f0c1c762 x86_64/corporate/3.0/RPMS/ruby-1.8.1-1.4.C30mdk.x86_64.rpm 9ee750fd72214d68a95e2a45967e4107 x86_64/corporate/3.0/RPMS/ruby-devel-1.8.1-1.4.C30mdk.x86_64.rpm c4e65ac8d2660883cd6f9bb87b33db61 x86_64/corporate/3.0/RPMS/ruby-doc-1.8.1-1.4.C30mdk.x86_64.rpm 871cb8738de7856ab3d5d0602e3bfa10 x86_64/corporate/3.0/RPMS/ruby-tk-1.8.1-1.4.C30mdk.x86_64.rpm a05a8da48327c79254cabaf42a7002d3 x86_64/corporate/3.0/SRPMS/ruby-1.8.1-1.4.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDWIoAmqjQ0CJFipgRAmWAAKC2bXtS0hkrz2D8YGR1CPZK1Mb36QCeJ73+ HLz1sPgGs4IBkVKUEn36DsI= =JLok -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/