Skip to navigation

Security Advisory Moderate: ruby193-ruby, rubygem-json and rubygem-rdoc security update

Advisory: RHSA-2013:0701-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-04-02
Last updated on: 2013-04-02
Affected Products: Red Hat OpenShift Enterprise 1
CVEs (cve.mitre.org): CVE-2013-0256
CVE-2013-0269

Details

Updated ruby193-ruby, rubygem-json and rubygem-rdoc packages that fix two
security issues are now available for Red Hat OpenShift Enterprise 1.1.3.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to do system management tasks.

A flaw in rubygem-json and ruby193-rubygem-json allowed remote attacks by
creating different types of malicious objects. For example, it could
initiate a denial of service attack through resource consumption by using a
JSON document to create arbitrary Ruby symbols, which were never garbage
collected. It could also be exploited to create internal objects which
could allow a SQL injection attack. (CVE-2013-0269)

It was found that documentation created by rubygem-rdoc and
ruby193-rubygem-rdoc was vulnerable to a cross-site scripting (XSS) attack.
If such documentation was accessible over a network, and a remote attacker
could trick a user into visiting a specially-crafted URL, it would lead to
arbitrary web script execution in the context of the user's session. As
rubygem-rdoc and ruby193-rubygem-rdoc are used for creating documentation
for Ruby source files (such as classes, modules, and so on), it is not a
common scenario to make such documentation accessible over the network.
(CVE-2013-0256)

Red Hat would like to thank Ruby on Rails upstream for reporting
CVE-2013-0269, and Eric Hodel of RDoc upstream for reporting CVE-2013-0256.
Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the
original reporters of CVE-2013-0269, and Evgeny Ermakov as the original
reporter of CVE-2013-0256.

Users of Red Hat OpenShift Enterprise 1.1.3 are advised to upgrade to these
updated packages, which correct these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat OpenShift Enterprise 1

SRPMS:
ruby193-ruby-1.9.3.327-28.el6.src.rpm     MD5: dca49720d8ac5d896546a86ecfb767bd
SHA-256: be7eb3a952df989df8925308e5ce94c345487a602781c5efc26916d33e8fd0f3
rubygem-json-1.7.3-2.el6op.src.rpm     MD5: 256f847ff78d39bd95874d69ec4c0851
SHA-256: 4311d65976755474ef91ceea6e493be0900d52b1d610ca4a592d33f9ce549412
rubygem-rdoc-3.8-9.el6op.src.rpm     MD5: d540e97ba8a2294aa3732004e65b4835
SHA-256: 1213ea18ab805a323c414976d0ca35980a4ec75e0972932ac5db62820e8a684e
 
x86_64:
ruby193-ruby-1.9.3.327-28.el6.x86_64.rpm     MD5: fad0572464f7eb6f91c91a343711ca45
SHA-256: e693c1d2198c93e8f7e9ab80f9efffd9323f4419f794297efadf0c2b2950c3cd
ruby193-ruby-debuginfo-1.9.3.327-28.el6.x86_64.rpm     MD5: c8f1219424fc505c6d42689a23f65617
SHA-256: d5551643d5d5f5df37aee86d266024d7b085c270047ffc5e2aa44e38df1c79ca
ruby193-ruby-devel-1.9.3.327-28.el6.x86_64.rpm     MD5: 80fe53ada5cd773cd298b875b5e9bd6e
SHA-256: bdde8afd9d55b51693ee756de2189728a256d7750dab91c82ba6fc7f97c3fdcb
ruby193-ruby-doc-1.9.3.327-28.el6.x86_64.rpm     MD5: 65f97839863e189c134cd1b3da40adbc
SHA-256: 5eb623e0a1aeac56e09fc05c6853a90748d55f95ea2d80a4815d54ef80957865
ruby193-ruby-irb-1.9.3.327-28.el6.noarch.rpm     MD5: e570e1b58997935a51465720c1c5181d
SHA-256: 7b97cad55305c46d89b7dd73a6f9c0038bd11a788f267b3a1d2c845acbebfbe9
ruby193-ruby-libs-1.9.3.327-28.el6.x86_64.rpm     MD5: f550c85e040420486ae5271da5bd75ee
SHA-256: c2210de23b8c0aa72bc8635804e06f7a3097a0271c660d2f99c6a1433c325d63
ruby193-ruby-tcltk-1.9.3.327-28.el6.x86_64.rpm     MD5: 7261cd405e3bb7f158e79e5e219e9ee5
SHA-256: 6fcf7df621cedd6c272571f5fa6b02abc0a19c8d98a2c63cd77d14c62399cc1c
ruby193-rubygem-bigdecimal-1.1.0-28.el6.x86_64.rpm     MD5: f1b119bb9594a37e29e345110d06cd64
SHA-256: 04fb0e74258fbf4f234382cdcd576bd3d59ef4cf2603e5b7c694cb1d46dda9d5
ruby193-rubygem-io-console-0.3-28.el6.x86_64.rpm     MD5: 8e648af8ebfce954238b11eaebef6a59
SHA-256: d5c0f43a0b41747053600d8214d75f0e5192c47127ebebeaf516493946f5dacb
ruby193-rubygem-json-1.5.4-28.el6.x86_64.rpm     MD5: d00d7ace8907680c52debfd44a13553f
SHA-256: 7ae584da3d3a382b0026d820bc2ae2413d0f93f52e89a270ba4120b2a72c3c39
ruby193-rubygem-minitest-2.5.1-28.el6.noarch.rpm     MD5: 98c1146a97d6910dcf810b045baecebb
SHA-256: cd5f1b16487413f2d39f8b03c5062f87cf23f3b44fa0a6d34e33d9320d243d45
ruby193-rubygem-rake-0.9.2.2-28.el6.noarch.rpm     MD5: 5b8a104cfbfc21a661349b74d0682713
SHA-256: ba5b576df0cab56d25af28fbf1e687b5eb5e596bad5088ba9080e63faf98d200
ruby193-rubygem-rdoc-3.9.4-28.el6.x86_64.rpm     MD5: 862a739ff5bc2dc2e185ec26b096d085
SHA-256: 9c87b83e6c5aad1207180b661a1f308bd40391a3bc20b856451d0462291f50c5
ruby193-rubygems-1.8.23-28.el6.noarch.rpm     MD5: ba56301dba43b1183af4a38034dbc626
SHA-256: 5a5fbda4d219de420dac0b4e96015b2c9b455168061d05be1dcfb6e22ade47a5
ruby193-rubygems-devel-1.8.23-28.el6.noarch.rpm     MD5: 7a8d009b30bd59825995dbee8f88d848
SHA-256: 1cf53831cbf6d385c6dead517b252f1e4f7d318efc5df2a96dd8767cf8ecfd1a
rubygem-json-1.7.3-2.el6op.x86_64.rpm     MD5: 2dd377be1329696e4ef5fe37ddae05df
SHA-256: 52083cd697a927899c6d84c012720a3296962022473e1ee40558eca1b09907df
rubygem-json-debuginfo-1.7.3-2.el6op.x86_64.rpm     MD5: 92fe185677a6fb7fa5cddbae969fea99
SHA-256: 9b984459b727a41aa8ca7c1a5ef3433129177a558c0b85629ddb3ba55eb3381e
rubygem-json-doc-1.7.3-2.el6op.noarch.rpm     MD5: 64e7ce16b77b09adcfee232bd8f1d4bf
SHA-256: 110431effd815d12e9974c32f2966eb8b8a55ed02e84f628687b6e165afb4731
rubygem-rdoc-3.8-9.el6op.noarch.rpm     MD5: b7c0c0a1025d7c4fb7c242c8a10844dd
SHA-256: f28254d901b81ac87fdd782af011b5190a4b72ed736bace457ee4572021cea25
rubygem-rdoc-doc-3.8-9.el6op.noarch.rpm     MD5: 59b2097cb763828bf4ffe3fe5ac84052
SHA-256: e253519f1340610348fee80180dffb252c1954af3d6d331f43767a867ae92336
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

907820 - CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template
909029 - CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/