USN-2397-1: Ruby vulnerabilities
04 November 2014
Several security issues were fixed in Ruby.
Releases
Packages
Details
Will Wood discovered that Ruby incorrectly handled the encodes() function.
An attacker could possibly use this issue to cause Ruby to crash, resulting
in a denial of service, or possibly execute arbitrary code. The default
compiler options for affected releases should reduce the vulnerability to a
denial of service. (CVE-2014-4975)
Willis Vandevanter discovered that Ruby incorrectly handled XML entity
expansion. An attacker could use this flaw to cause Ruby to consume large
amounts of resources, resulting in a denial of service. (CVE-2014-8080)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 14.10
-
libruby2.0
-
2.0.0.484+really457-3ubuntu1.1
-
libruby2.1
-
2.1.2-2ubuntu1.1
-
ruby2.0
-
2.0.0.484+really457-3ubuntu1.1
-
ruby2.1
-
2.1.2-2ubuntu1.1
Ubuntu 14.04
-
libruby1.9.1
-
1.9.3.484-2ubuntu1.1
-
libruby2.0
-
2.0.0.484-1ubuntu2.1
-
ruby1.9.1
-
1.9.3.484-2ubuntu1.1
-
ruby2.0
-
2.0.0.484-1ubuntu2.1
Ubuntu 12.04
-
libruby1.8
-
1.8.7.352-2ubuntu1.5
-
libruby1.9.1
-
1.9.3.0-1ubuntu2.9
-
ruby1.8
-
1.8.7.352-2ubuntu1.5
-
ruby1.9.1
-
1.9.3.0-1ubuntu2.9
In general, a standard system update will make all the necessary changes.