Skip to navigation

Security Advisory Moderate: rubygems security update

Advisory: RHSA-2013:1441-2
Type: Security Advisory
Severity: Moderate
Issued on: 2013-10-17
Last updated on: 2013-10-17
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.4)
Red Hat Enterprise Linux Server EUS (v. 6.4.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2012-2125
CVE-2012-2126
CVE-2013-4287

Details

An updated rubygems package that fixes three security issues is now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

RubyGems is the Ruby standard for publishing and managing third-party
libraries.

It was found that RubyGems did not verify SSL connections. This could lead
to man-in-the-middle attacks. (CVE-2012-2126)

It was found that, when using RubyGems, the connection could be redirected
from HTTPS to HTTP. This could lead to a user believing they are installing
a gem via HTTPS, when the connection may have been silently downgraded to
HTTP. (CVE-2012-2125)

It was discovered that the rubygems API validated version strings using an
unsafe regular expression. An application making use of this API to process
a version string from an untrusted source could be vulnerable to a denial
of service attack through CPU exhaustion. (CVE-2013-4287)

Red Hat would like to thank Rubygems upstream for reporting CVE-2013-4287.
Upstream acknowledges Damir Sharipov as the original reporter.

All rubygems users are advised to upgrade to this updated package, which
contains backported patches to correct these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
rubygems-1.3.7-4.el6_4.src.rpm
File outdated by:  RHBA-2013:1694
    MD5: 2f87c54612069ed2fff60d9bdb935888
SHA-256: 2385385b92a4b5cca861f95880d5589c1540e75f09a1f2ee62a8bf69114c2422
 
IA-32:
rubygems-1.3.7-4.el6_4.noarch.rpm
File outdated by:  RHBA-2013:1694
    MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
x86_64:
rubygems-1.3.7-4.el6_4.noarch.rpm
File outdated by:  RHBA-2013:1694
    MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
rubygems-1.3.7-4.el6_4.src.rpm
File outdated by:  RHBA-2013:1694
    MD5: 2f87c54612069ed2fff60d9bdb935888
SHA-256: 2385385b92a4b5cca861f95880d5589c1540e75f09a1f2ee62a8bf69114c2422
 
x86_64:
rubygems-1.3.7-4.el6_4.noarch.rpm
File outdated by:  RHBA-2013:1694
    MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
rubygems-1.3.7-4.el6_4.src.rpm
File outdated by:  RHBA-2013:1694
    MD5: 2f87c54612069ed2fff60d9bdb935888
SHA-256: 2385385b92a4b5cca861f95880d5589c1540e75f09a1f2ee62a8bf69114c2422
 
IA-32:
rubygems-1.3.7-4.el6_4.noarch.rpm
File outdated by:  RHBA-2013:1694
    MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
PPC:
rubygems-1.3.7-4.el6_4.noarch.rpm
File outdated by:  RHBA-2013:1694
    MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
s390x:
rubygems-1.3.7-4.el6_4.noarch.rpm
File outdated by:  RHBA-2013:1694
    MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
x86_64:
rubygems-1.3.7-4.el6_4.noarch.rpm
File outdated by:  RHBA-2013:1694
    MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
Red Hat Enterprise Linux Server AUS (v. 6.4)

SRPMS:
rubygems-1.3.7-4.el6_4.src.rpm
File outdated by:  RHBA-2013:1694
    MD5: 2f87c54612069ed2fff60d9bdb935888
SHA-256: 2385385b92a4b5cca861f95880d5589c1540e75f09a1f2ee62a8bf69114c2422
 
x86_64:
rubygems-1.3.7-4.el6_4.noarch.rpm     MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
Red Hat Enterprise Linux Server EUS (v. 6.4.z)

SRPMS:
rubygems-1.3.7-4.el6_4.src.rpm
File outdated by:  RHBA-2013:1694
    MD5: 2f87c54612069ed2fff60d9bdb935888
SHA-256: 2385385b92a4b5cca861f95880d5589c1540e75f09a1f2ee62a8bf69114c2422
 
IA-32:
rubygems-1.3.7-4.el6_4.noarch.rpm     MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
PPC:
rubygems-1.3.7-4.el6_4.noarch.rpm     MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
s390x:
rubygems-1.3.7-4.el6_4.noarch.rpm     MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
x86_64:
rubygems-1.3.7-4.el6_4.noarch.rpm     MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
rubygems-1.3.7-4.el6_4.src.rpm
File outdated by:  RHBA-2013:1694
    MD5: 2f87c54612069ed2fff60d9bdb935888
SHA-256: 2385385b92a4b5cca861f95880d5589c1540e75f09a1f2ee62a8bf69114c2422
 
IA-32:
rubygems-1.3.7-4.el6_4.noarch.rpm
File outdated by:  RHBA-2013:1694
    MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
x86_64:
rubygems-1.3.7-4.el6_4.noarch.rpm
File outdated by:  RHBA-2013:1694
    MD5: ddecc5f2129ec9f31e5f16ee874af2df
SHA-256: ea87cccaad0a66fb0623fc3d28054e977746d9edd008747b500cb87bc03a20e8
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1002364 - CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability
814718 - CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/