Your submission was sent successfully! Close

USN-900-1: Ruby vulnerabilities

16 February 2010

Ruby vulnerabilities

Releases

Packages

Details

Emmanouel Kellinis discovered that Ruby did not properly handle certain
string operations. An attacker could exploit this issue and possibly
execute arbitrary code with application privileges. (CVE-2009-4124)

Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that
Ruby did not properly sanitize data written to log files. An attacker could
insert specially-crafted data into log files which could affect certain
terminal emulators and cause arbitrary files to be overwritten, or even
possibly execute arbitrary commands. (CVE-2009-4492)

It was discovered that Ruby did not properly handle string arguments that
represent large numbers. An attacker could exploit this and cause a denial
of service. This issue only affected Ubuntu 9.10. (CVE-2009-1904)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
Ubuntu 9.04
Ubuntu 8.10

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Related notices

  • USN-805-1: ruby1.9, ruby1.8, libruby1.8, libruby1.9