Skip to navigation

Security Advisory Moderate: rubygem packages security update

Advisory: RHSA-2013:0728-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-04-09
Last updated on: 2013-04-09
Affected Products: Red Hat OpenShift Enterprise 1
CVEs (cve.mitre.org): CVE-2013-0256

Details

This update fixes one security issue in multiple rubygem packages for
Red Hat OpenShift Enterprise 1.1.3.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to do system management tasks.

It was found that documentation created by RDoc was vulnerable to a
cross-site scripting (XSS) attack. If such documentation was accessible
over a network, and a remote attacker could trick a user into visiting a
specially-crafted URL, it would lead to arbitrary web script execution in
the context of the user's session. As RDoc is used for creating
documentation for Ruby source files (such as classes, modules, and so on),
it is not a common scenario to make such documentation accessible over the
network. (CVE-2013-0256)

This update provides a number of updated rubygem packages that have had
their documentation regenerated with a corrected version of RDoc.

Red Hat would like to thank Eric Hodel of RDoc upstream for reporting this
issue. Upstream acknowledges Evgeny Ermakov as the original reporter.

Users of Red Hat OpenShift Enterprise 1.1.3 are advised to upgrade to these
updated packages, which correct this issue.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat OpenShift Enterprise 1

SRPMS:
ruby193-rubygem-activesupport-3.2.8-4.el6.src.rpm     MD5: 3d73187496de97d125ccaa7650d08208
SHA-256: 40865e75d859489c282fe7f0a2869ca9fbaba293a671c29121ac336d73358d57
ruby193-rubygem-bcrypt-ruby-3.0.1-7.el6.src.rpm     MD5: c34bb9289812c89e05a5858949087aeb
SHA-256: 9ee81c1b925b0ac2f138781f3c9ff5d5d26f239c82bd4568c75676229fac6141
ruby193-rubygem-bson-1.5.2-6.el6op.src.rpm     MD5: f3c7806670b6680bb0eaf5bc4139eef7
SHA-256: a47429b4a989bb59d6e93c625fd6ed73f00bb1bd1a29868e814a60fb1d92d64c
ruby193-rubygem-chunky_png-1.2.6-3.el6op.src.rpm     MD5: aa936da1bad95b102cd1bef4d5da32c4
SHA-256: 4619dc42f604a1d256fcdecddd169816336e354c59db4a016662a266908785a0
ruby193-rubygem-ci_reporter-1.7.2-4.el6op.src.rpm     MD5: 23defbe6e35cbbee70d01ab8c041262c
SHA-256: 46427828bb44fc6fe2cb326aa7b0ca1130dd2a54970452d771946d421f66ecc7
ruby193-rubygem-compass-0.12.2-4.el6op.src.rpm     MD5: 893c1325554e88d12426063dd4672bc3
SHA-256: 00f33285690b21d0c9873984424aea6f372a294a09edefe1c5f296d2a3e49cd8
ruby193-rubygem-fastthread-1.0.7-7.el6op.src.rpm     MD5: 8fdf387187855f51495b963a7fd69542
SHA-256: 814a69fb68475c86639808b290f4c859db4d4e1a988b199a672020f2247088d0
ruby193-rubygem-haml-3.1.7-3.el6op.src.rpm     MD5: db3385d8318dad140294edf05204c848
SHA-256: aec20fdf8296046baf87f80bdd56256f7e29fd6f8ac5ecc9a97471fc76c7766c
ruby193-rubygem-http_connection-1.4.1-7.el6.src.rpm     MD5: bab1bbd382ce7d72beea9584ac551a4a
SHA-256: 610bbe4bb9ac6884ae407dbbcc82ce271aee3383c4cdd1c854a7453514cdb9bd
ruby193-rubygem-rack-1.4.1-5.el6.src.rpm     MD5: 9355897314facce8003ba91094e8db9c
SHA-256: f2f72b6d63f16c4be0a48198aab052ff4e7553bb0aa99d5d7300f6b02529c777
ruby193-rubygem-rack-test-0.6.1-3.el6.src.rpm     MD5: 1d4107179654a2d508eb445966277de0
SHA-256: 4cfef811dd94a036d65b30dea988e31eff95e69560ccc7b008f18ae7b56d14e0
ruby193-rubygem-rspec-2.11.0-2.el6.src.rpm     MD5: 5bc79124cfa6767b3e001facdb92a101
SHA-256: 17c6733e191758f632f2a37b92f59f4b826bb42c5e0dd3dc2bceedd72c627c9b
ruby193-rubygem-treetop-1.4.10-6.el6.src.rpm     MD5: 2e24bbfadcafa294ee958b4c013366d2
SHA-256: bb95ff4d97b1270ad9930396a76f1dfe40d97cb5b31016e916f3279a1520c713
ruby193-rubygem-xml-simple-1.0.12-10.el6op.src.rpm     MD5: 6b80790120d8a91c4610801843f3c7f6
SHA-256: 8ad7b6b4f1cd96ff982bb5644effb3e350c383f71dca9a5490f34ca14be1c61f
 
x86_64:
ruby193-rubygem-activesupport-3.2.8-4.el6.noarch.rpm     MD5: f9c9a4f6fdd563df58f7b85a987d8a96
SHA-256: 9d050e5537498b819daec2c9ab6204c5b05cd437209b42b325846d76b18a51a4
ruby193-rubygem-bcrypt-ruby-3.0.1-7.el6.x86_64.rpm     MD5: e472458ef66902afeec498874c6080a9
SHA-256: 1223af4e234a62efd8861255a9404f7018b555ea50f71d7e16db6674777422e5
ruby193-rubygem-bcrypt-ruby-debuginfo-3.0.1-7.el6.x86_64.rpm     MD5: bac733ae2b7c3009df6623b4e378dd52
SHA-256: 78a9a49a187a3b9802b8a46b96ff3ac3665aff3d74148dc6152e5c42b640497d
ruby193-rubygem-bson-1.5.2-6.el6op.noarch.rpm     MD5: f9c12b0a76f886ca58a112b6dc8c779e
SHA-256: 58637ab3c8e2b94dee4eaf8c54c25baff4a0998c805efd8455f3f9edfa0f88f8
ruby193-rubygem-chunky_png-1.2.6-3.el6op.noarch.rpm     MD5: 5f6f80488666f41fabc04cb2345c3e6d
SHA-256: 1cf031c8ed3b2f791f8518673a7e6aea711b48d8ef70add86ad991b0c4e444a8
ruby193-rubygem-ci_reporter-1.7.2-4.el6op.noarch.rpm     MD5: 915d4f728644ab270d2228a4b4084000
SHA-256: 067b465344615d1423c1b758bdbb53702330b2d946f69af1f9d047ec6db1ee23
ruby193-rubygem-compass-0.12.2-4.el6op.noarch.rpm     MD5: 02f9b7651c6e6c31d1409aef40cc2636
SHA-256: 3393493ad37c23f1f2373119c83a2d7731b0c1bf143bf323389bc7a163e1e61c
ruby193-rubygem-fastthread-1.0.7-7.el6op.x86_64.rpm     MD5: e6f0effdf0e6549369bd4ae6095cad71
SHA-256: de92a9614bc44cdd6707f0964ebc9eccd3cf49281e1817e4b753bf65fcc51cc0
ruby193-rubygem-fastthread-debuginfo-1.0.7-7.el6op.x86_64.rpm     MD5: bcc77c44dcfc9b6e9e77c221a8d5333e
SHA-256: b61c13a1bb0b426e14c7e50a7fff2f8b56bf47b9be5b523bcb541849b243731c
ruby193-rubygem-haml-3.1.7-3.el6op.noarch.rpm     MD5: d4adb51e3cba680e738c6c89fe334787
SHA-256: 332dee32d3c5d311ef40339de1d03f0ae2add7e34a5f6d6b08f3c390cebbe85f
ruby193-rubygem-http_connection-1.4.1-7.el6.noarch.rpm     MD5: 1f11284c2c00ab325eea1f9431f73b39
SHA-256: 3622ede664363db55745e2bccf03ea195f16a417fd372f083107830d572fa714
ruby193-rubygem-rack-1.4.1-5.el6.noarch.rpm     MD5: 829ea888210311a1d3368daa76dae1a9
SHA-256: 996e3f440c03d8878222c525f5d9dcdaf2d61b6ae291d389b38c9bfb4009606f
ruby193-rubygem-rack-test-0.6.1-3.el6.noarch.rpm     MD5: b874cb497f7fd9ab949ef0ab1e873dd2
SHA-256: 7e875c98157420d2a933eb647396cdfee6f550d55f71e09614e9b410eaffe881
ruby193-rubygem-rspec-2.11.0-2.el6.noarch.rpm     MD5: e564efeadd43084a6e0637ad0fa0713c
SHA-256: e33fc102b2b839b1d7d7b6464874fe74a0a82ee0d6bf26842b0a5c0a322865b6
ruby193-rubygem-treetop-1.4.10-6.el6.noarch.rpm     MD5: e92236f33bf2a2dfad8dfb07cfd11647
SHA-256: de506f80c13a2908104598b2bfaa1f87928b6552235aa6f24772d7a18da6782e
ruby193-rubygem-xml-simple-1.0.12-10.el6op.noarch.rpm     MD5: 44f5961d5bcea2dbce6e3fdfe2b3cfc1
SHA-256: cf99c0e9c1e46bf78b03a56e3587f0f055cf72c69312894d13530c74d029cbb3
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

907820 - CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/