Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés
Date : Tue, 24 Jun 2008 17:05:57 +0200
Type : VULN
Sujet : CERT-Renater : 2008/VULN240 (Ruby: Arbitrary code execution vulnerabilities)
====================================================================                                    CERT-Renater

                         Note d'Information No. 2008/VULN240
_____________________________________________________________________

DATE                      : 24/06/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Ruby.

======================================================================
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

______________________________________________________________________

Arbitrary code execution vulnerabilities

    Multiple vulnerabilities in Ruby may lead to a denial of service
(DoS) condition or allow execution of arbitrary code.

Impact

    With the following vulnerabilities, an attacker can lead to denial of
    service condition or execute arbitrary code.
      * CVE-2008-2662
      * CVE-2008-2663
      * CVE-2008-2725
      * CVE-2008-2726
      * CVE-2008-2664

Vulnerable versions

    1.8 series

      + 1.8.4 and all prior versions
      + 1.8.5-p230 and all prior versions
      + 1.8.6-p229 and all prior versions
      + 1.8.7-p21 and all prior versions

    1.9 series

      + 1.9.0-1 and all prior versions

Solution

    1.8 series
      Please upgrade to 1.8.5-p231, or 1.8.6-p230, or 1.8.7-p22.

      + 
        (md5sum: e900cf225d55414bffe878f00a85807c)
      + 
        (md5sum: 5e8247e39be2dc3c1a755579c340857f)
      + 
        (md5sum: fc3ede83a98f48d8cb6de2145f680ef2)

    1.9 series
      Please upgrade to 1.9.0-2.

      + 
        (md5sum: 2a848b81ed1d6393b88eec8aa6173b75)

    These versions also fix the vulnerability of WEBrick
    (CVE-2008-1891).

    Please note that a package that corrects this weakness may already be
    available through your package management software.

Credit

    Credit to Drew Yao of Apple Product Security for disclosing the
    problem to Ruby Security Team.

Changes

      * 2008-06-21 00:29 +09:00 removed wrong CVE IDs (CVE-2008-2727,
        CVE-2008-2728).

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================