CVE-2011-2686

Publication date 5 August 2011

Last updated 24 July 2024

Ubuntu priority

Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ruby1.8	11.10 oneiric	Not affected
	11.04 natty	Fixed 1.8.7.302-2ubuntu0.1
	10.10 maverick	Fixed 1.8.7.299-2ubuntu0.1
	10.04 LTS lucid	Fixed 1.8.7.249-2ubuntu0.1
	8.04 LTS hardy	Ignored end of life

Notes

jdstrand

ruby1.8 only

tyhicks

Simple test case in upstream bug's description

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ruby1.8	Upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=31713

CVE-2011-2686

Status

Notes

jdstrand

tyhicks

Patch details

References

Related Ubuntu Security Notices (USN)

Other references