Security Advisory Moderate: ruby security update

Advisory: RHSA-2007:0961-4
Type: Security Advisory
Severity: Moderate
Issued on: 2007-11-13
Last updated on: 2007-11-13
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20070961.xml
CVEs (cve.mitre.org): CVE-2006-6303
CVE-2007-5162
CVE-2007-5770

Details

Updated ruby packages that fix several security issues are now available
for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Ruby is an interpreted scripting language for object-oriented programming.

A flaw was discovered in the way Ruby's CGI module handles certain HTTP
requests. If a remote attacker sends a specially crafted request, it is
possible to cause the ruby CGI script to enter an infinite loop, possibly
causing a denial of service. (CVE-2006-6303)

An SSL certificate validation flaw was discovered in several Ruby Net
modules. The libraries were not checking the requested host name against
the common name (CN) in the SSL server certificate, possibly allowing a man
in the middle attack. (CVE-2007-5162, CVE-2007-5770)

Users of Ruby should upgrade to these updated packages, which contain
backported patches to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 4)
SRPMS:
ruby-1.8.1-7.EL4.8.1.src.rpm
File outdated by:  RHSA-2008:0561		     106605e96347c6766e83336109ba6ae0
 
IA-32:
irb-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     765be348e6e5cad8b65f70497d42051d
ruby-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     f73ba45ab88a14158cfa3b85c0ebfe82
ruby-devel-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     9d605627141ccc78801ae53c364c884e
ruby-docs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     4330a884a43cc05b072db0507185bb94
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-mode-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     0360306d3f6166b36c1931aaae8d34b9
ruby-tcltk-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     5535d1efd33c3cad3ee737d55f6f7681
 
x86_64:
irb-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     f2c8d1fca0386f4549afe1eed3b27bfe
ruby-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     1cb537a873061ed0920366a223aa4723
ruby-devel-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     ddd89b3fe0d886afe15d1e56fe9c25b3
ruby-docs-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     22ca0c3995245046e85b4f378dc8e83f
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-libs-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     92bde1960d6f6fd7b3c139cb1c27985c
ruby-mode-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     99bcb06185b20465900cafce0f97a3c0
ruby-tcltk-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     012c233146fe9350713e7ed1f24a577f
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
ruby-1.8.1-7.EL4.8.1.src.rpm
File outdated by:  RHSA-2008:0561		     106605e96347c6766e83336109ba6ae0
 
IA-32:
irb-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     765be348e6e5cad8b65f70497d42051d
ruby-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     f73ba45ab88a14158cfa3b85c0ebfe82
ruby-devel-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     9d605627141ccc78801ae53c364c884e
ruby-docs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     4330a884a43cc05b072db0507185bb94
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-mode-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     0360306d3f6166b36c1931aaae8d34b9
ruby-tcltk-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     5535d1efd33c3cad3ee737d55f6f7681
 
IA-64:
irb-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     79afb3c8edf4d65c3a6b07fdf52cb526
ruby-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     224177b4e85cbb98ea816a64dde00633
ruby-devel-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     918ccbb91646cd136c081d9ad33d3721
ruby-docs-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     d74490173c8eb515d92e14c0989e3b7e
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-libs-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     7541fe15a20e6f4d76e54d4831b7bcf0
ruby-mode-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     f02558e7060950c1e494091870abb917
ruby-tcltk-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     65fab944a8c300f774a4bf9bf681e66e
 
PPC:
irb-1.8.1-7.EL4.8.1.ppc.rpm
File outdated by:  RHSA-2008:0561		     32c8d583b12f0540150728beca98516a
ruby-1.8.1-7.EL4.8.1.ppc.rpm
File outdated by:  RHSA-2008:0561		     253e37299eca96941362fd0da1b905b1
ruby-devel-1.8.1-7.EL4.8.1.ppc.rpm
File outdated by:  RHSA-2008:0561		     d08807158491f3d09240aae131be1577
ruby-docs-1.8.1-7.EL4.8.1.ppc.rpm
File outdated by:  RHSA-2008:0561		     9ddf28f5ae0a457e4d2ba9fc7ed4d150
ruby-libs-1.8.1-7.EL4.8.1.ppc.rpm
File outdated by:  RHSA-2008:0561		     de396a9f2c3808849a666de02482704a
ruby-libs-1.8.1-7.EL4.8.1.ppc64.rpm
File outdated by:  RHSA-2008:0561		     af47b978c18c50d0051476bd033d1e50
ruby-mode-1.8.1-7.EL4.8.1.ppc.rpm
File outdated by:  RHSA-2008:0561		     ca595a74f2fd54abfb2f91e14d83c84d
ruby-tcltk-1.8.1-7.EL4.8.1.ppc.rpm
File outdated by:  RHSA-2008:0561		     8b8d7eb76afedb6662d7f689c49b3258
 
s390:
irb-1.8.1-7.EL4.8.1.s390.rpm
File outdated by:  RHSA-2008:0561		     3dfffafb19d5612dac313a8cdedcaa08
ruby-1.8.1-7.EL4.8.1.s390.rpm
File outdated by:  RHSA-2008:0561		     01dd2123eaca564e4013feacb073600e
ruby-devel-1.8.1-7.EL4.8.1.s390.rpm
File outdated by:  RHSA-2008:0561		     0577bdd9c31681ec0db944e68ed0a258
ruby-docs-1.8.1-7.EL4.8.1.s390.rpm
File outdated by:  RHSA-2008:0561		     37e28a8e01e41e153b58c6365dc5ee20
ruby-libs-1.8.1-7.EL4.8.1.s390.rpm
File outdated by:  RHSA-2008:0561		     f4b2f51f031fe1b411ba17499399a989
ruby-mode-1.8.1-7.EL4.8.1.s390.rpm
File outdated by:  RHSA-2008:0561		     2625c174e9837fecf9c1fe41bc1b9002
ruby-tcltk-1.8.1-7.EL4.8.1.s390.rpm
File outdated by:  RHSA-2008:0561		     a5616a339f8d84a3da47eeff25a9aa84
 
s390x:
irb-1.8.1-7.EL4.8.1.s390x.rpm
File outdated by:  RHSA-2008:0561		     213116e94f9e99f5f9c03043892ffbf3
ruby-1.8.1-7.EL4.8.1.s390x.rpm
File outdated by:  RHSA-2008:0561		     db5a7d26cdfbefe2248a1d54b50f4157
ruby-devel-1.8.1-7.EL4.8.1.s390x.rpm
File outdated by:  RHSA-2008:0561		     657ad52c8465fc84eaee4136d2adeff4
ruby-docs-1.8.1-7.EL4.8.1.s390x.rpm
File outdated by:  RHSA-2008:0561		     b041f610b1d62a19c10261d6b409eb14
ruby-libs-1.8.1-7.EL4.8.1.s390.rpm
File outdated by:  RHSA-2008:0561		     f4b2f51f031fe1b411ba17499399a989
ruby-libs-1.8.1-7.EL4.8.1.s390x.rpm
File outdated by:  RHSA-2008:0561		     8e7d43c13a8868217377d3d442430358
ruby-mode-1.8.1-7.EL4.8.1.s390x.rpm
File outdated by:  RHSA-2008:0561		     0b8c3dc30bb9d932e7176882503c5ac4
ruby-tcltk-1.8.1-7.EL4.8.1.s390x.rpm
File outdated by:  RHSA-2008:0561		     98c1e9130ab7b2d2db4c6f0d9e157ec2
 
x86_64:
irb-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     f2c8d1fca0386f4549afe1eed3b27bfe
ruby-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     1cb537a873061ed0920366a223aa4723
ruby-devel-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     ddd89b3fe0d886afe15d1e56fe9c25b3
ruby-docs-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     22ca0c3995245046e85b4f378dc8e83f
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-libs-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     92bde1960d6f6fd7b3c139cb1c27985c
ruby-mode-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     99bcb06185b20465900cafce0f97a3c0
ruby-tcltk-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     012c233146fe9350713e7ed1f24a577f
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
ruby-1.8.1-7.EL4.8.1.src.rpm
File outdated by:  RHSA-2008:0561		     106605e96347c6766e83336109ba6ae0
 
IA-32:
irb-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     765be348e6e5cad8b65f70497d42051d
ruby-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     f73ba45ab88a14158cfa3b85c0ebfe82
ruby-devel-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     9d605627141ccc78801ae53c364c884e
ruby-docs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     4330a884a43cc05b072db0507185bb94
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-mode-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     0360306d3f6166b36c1931aaae8d34b9
ruby-tcltk-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     5535d1efd33c3cad3ee737d55f6f7681
 
IA-64:
irb-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     79afb3c8edf4d65c3a6b07fdf52cb526
ruby-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     224177b4e85cbb98ea816a64dde00633
ruby-devel-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     918ccbb91646cd136c081d9ad33d3721
ruby-docs-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     d74490173c8eb515d92e14c0989e3b7e
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-libs-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     7541fe15a20e6f4d76e54d4831b7bcf0
ruby-mode-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     f02558e7060950c1e494091870abb917
ruby-tcltk-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     65fab944a8c300f774a4bf9bf681e66e
 
x86_64:
irb-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     f2c8d1fca0386f4549afe1eed3b27bfe
ruby-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     1cb537a873061ed0920366a223aa4723
ruby-devel-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     ddd89b3fe0d886afe15d1e56fe9c25b3
ruby-docs-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     22ca0c3995245046e85b4f378dc8e83f
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-libs-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     92bde1960d6f6fd7b3c139cb1c27985c
ruby-mode-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     99bcb06185b20465900cafce0f97a3c0
ruby-tcltk-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     012c233146fe9350713e7ed1f24a577f
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
ruby-1.8.1-7.EL4.8.1.src.rpm
File outdated by:  RHSA-2008:0561		     106605e96347c6766e83336109ba6ae0
 
IA-32:
irb-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     765be348e6e5cad8b65f70497d42051d
ruby-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     f73ba45ab88a14158cfa3b85c0ebfe82
ruby-devel-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     9d605627141ccc78801ae53c364c884e
ruby-docs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     4330a884a43cc05b072db0507185bb94
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-mode-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     0360306d3f6166b36c1931aaae8d34b9
ruby-tcltk-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     5535d1efd33c3cad3ee737d55f6f7681
 
IA-64:
irb-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     79afb3c8edf4d65c3a6b07fdf52cb526
ruby-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     224177b4e85cbb98ea816a64dde00633
ruby-devel-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     918ccbb91646cd136c081d9ad33d3721
ruby-docs-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     d74490173c8eb515d92e14c0989e3b7e
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-libs-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     7541fe15a20e6f4d76e54d4831b7bcf0
ruby-mode-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     f02558e7060950c1e494091870abb917
ruby-tcltk-1.8.1-7.EL4.8.1.ia64.rpm
File outdated by:  RHSA-2008:0561		     65fab944a8c300f774a4bf9bf681e66e
 
x86_64:
irb-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     f2c8d1fca0386f4549afe1eed3b27bfe
ruby-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     1cb537a873061ed0920366a223aa4723
ruby-devel-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     ddd89b3fe0d886afe15d1e56fe9c25b3
ruby-docs-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     22ca0c3995245046e85b4f378dc8e83f
ruby-libs-1.8.1-7.EL4.8.1.i386.rpm
File outdated by:  RHSA-2008:0561		     92278b25f1a1ea86d1b2c18afeb05d27
ruby-libs-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     92bde1960d6f6fd7b3c139cb1c27985c
ruby-mode-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     99bcb06185b20465900cafce0f97a3c0
ruby-tcltk-1.8.1-7.EL4.8.1.x86_64.rpm
File outdated by:  RHSA-2008:0561		     012c233146fe9350713e7ed1f24a577f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

218287 - CVE-2006-6303 ruby's cgi.rb vulnerable infinite loop DoS
313691 - CVE-2007-5162 ruby Net:HTTP insufficient verification of SSL certificate
362081 - CVE-2007-5770 ruby insufficient verification of SSL certificate in various net::* modules


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6303
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5770
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/