Skip to navigation

Security Advisory Moderate: ruby193-ruby security update

Advisory: RHSA-2013:1137-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-08-05
Last updated on: 2013-08-05
Affected Products: Red Hat OpenShift Enterprise 1
CVEs (cve.mitre.org): CVE-2013-4073

Details

Updated ruby193-ruby packages that fix one security issue are now available
for Red Hat OpenShift Enterprise 1.2.2.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language.
It has features to process text files and to do system management tasks.

A flaw was found in Ruby's SSL client's hostname identity check when
handling certificates that contain hostnames with NULL bytes. An attacker
could potentially exploit this flaw to conduct man-in-the-middle attacks to
spoof SSL servers. Note that to exploit this issue, an attacker would need
to obtain a carefully-crafted certificate signed by an authority that the
client trusts. (CVE-2013-4073)

All users of Red Hat OpenShift Enterprise 1.2.2 are advised to upgrade to
these updated packages, which resolve this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat OpenShift Enterprise 1

SRPMS:
ruby193-ruby-1.9.3.448-38.el6.src.rpm     MD5: 19a9a4cbeeb9b1f9ca74633ee1c56025
SHA-256: 1cf41acf593fc338f4779453a4a8f89a4c485d6e328c3a24552a2198c7db4185
 
x86_64:
ruby193-ruby-1.9.3.448-38.el6.x86_64.rpm     MD5: 056e3bc172da9a3c9885a2f02a428e7c
SHA-256: c9497e3de29a2ef3c4143bee3c4e47cf338f537cec0511b270510a1a6b512069
ruby193-ruby-devel-1.9.3.448-38.el6.x86_64.rpm     MD5: c2c05a5c19bbacec3923679c059ff9c7
SHA-256: 4aa13d84f291c18a3ba3c46c6f34c77d1529e8b721cea7c2f3b76835a27626e6
ruby193-ruby-doc-1.9.3.448-38.el6.x86_64.rpm     MD5: b3d99efaacee517c6325dfd06ec68327
SHA-256: a8ee3a973d3ffbc9db1e69dcd8685553a55acb89987bd31ca2ec806e1dadd787
ruby193-ruby-irb-1.9.3.448-38.el6.noarch.rpm     MD5: b4d127c600b8d67af30961731059c8db
SHA-256: 856b050dac96be0932caf58ca862801962ee13fe9c22ccba254e35e061f4eade
ruby193-ruby-libs-1.9.3.448-38.el6.x86_64.rpm     MD5: fc6fc168959335ba48d112255163b9b8
SHA-256: 92583ec4d497d3c9b98ed0829d0c709ac2e7540e663b11717db3b70dfbac34fe
ruby193-ruby-tcltk-1.9.3.448-38.el6.x86_64.rpm     MD5: 8573fce9616dfa158cee74b4e3227000
SHA-256: 7c76a215fb7bdc04090f8f102edcdb725dcf2a6043648a999b0db48c823bf401
ruby193-rubygem-bigdecimal-1.1.0-38.el6.x86_64.rpm     MD5: 1c18d778734d48617abda376023dda3c
SHA-256: 940ee0e505d832feb5586b98c257de76d0ad25b53949518397207a1728c89e6a
ruby193-rubygem-io-console-0.3-38.el6.x86_64.rpm     MD5: f56365886aebb6551309dd91b1e02fc7
SHA-256: 32b9c8903945bfd0449515811fc8226325f22c598e1120aa3a9315fb30819df8
ruby193-rubygem-json-1.5.5-38.el6.x86_64.rpm     MD5: e6e6e7a77b8fd3ae0af2dc8cb82f6594
SHA-256: 3a7869758c740c65b6d1d119c88e45a0292788ce26fe7d2cae725834a48b3607
ruby193-rubygem-rake-0.9.2.2-38.el6.noarch.rpm     MD5: c5f1581c62e746256ab047067902a8be
SHA-256: fe574964107c152cae9f47fcad4814c6400d324000b43a46f21951d90b5bc7a9
ruby193-rubygem-rdoc-3.9.5-38.el6.x86_64.rpm     MD5: b45fe6ea26ff0419ed18fd140f7841f9
SHA-256: adf5f8e28aba39bb7289b66cc4e96507bea6d6c9862d3ef025f1b2143f1d3410
ruby193-rubygems-1.8.23-38.el6.noarch.rpm     MD5: b8e9c58376ad76fcd18a8e276cbf76da
SHA-256: a9a883d7cc3fa6be8a27c8310489d06a726f19d56be09bced6707d41892fbd2f
ruby193-rubygems-devel-1.8.23-38.el6.noarch.rpm     MD5: 61638228add0ada3f927b53779961e9b
SHA-256: a8f9d3cdd47ccd5bf85b8955c5933947244d6e317d396eee08b85d004ea32a95
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

979251 - CVE-2013-4073 ruby: hostname check bypassing vulnerability in SSL client


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/