Skip to navigation

Security Advisory Moderate: ruby193-ruby security update

Advisory: RHSA-2013:1523-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-11-14
Last updated on: 2013-11-14
Affected Products: Red Hat OpenStack 3.0
CVEs (cve.mitre.org): CVE-2013-4287

Details

Updated ruby193-ruby packages that fix one security issue are now available
for Red Hat OpenStack 3.0.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to do system management tasks.
RubyGems is the Ruby standard for publishing and managing third-party
libraries.

It was discovered that the rubygems API validated version strings using an
unsafe regular expression. An application making use of this API to process
a version string from an untrusted source could be vulnerable to a denial
of service attack through CPU exhaustion. (CVE-2013-4287)

Red Hat would like to thank Rubygems upstream for reporting this
issue. Upstream acknowledges Damir Sharipov as the original reporter.

Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated
packages, which correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat OpenStack 3.0

SRPMS:
ruby193-ruby-1.9.3.448-40.el6.src.rpm
File outdated by:  RHSA-2014:0011
    MD5: cb4a9313fe835585e6564e3feeb563cb
SHA-256: 73d3651c52f2672dff0c9274e38ac6d364c97d83228609c93200671633a886fe
ruby193-rubygems-1.8.24-9.el6ost.src.rpm     MD5: 5af632c11ddc223c8216de5b458c3e53
SHA-256: ab484fa20369ef6ae457e54bcf2aef4e1ae5320a07db6d12b77e259d02ad64f7
 
x86_64:
ruby193-ruby-1.9.3.448-40.el6.x86_64.rpm
File outdated by:  RHSA-2014:0011
    MD5: 321b3d86e4c7625edf3d62bdf687d040
SHA-256: 23513308aaf3cc2eaca3e3dbbed9cc3c70dfe3fc1883bf2aaccf8a0875d9f756
ruby193-ruby-debuginfo-1.9.3.448-40.el6.x86_64.rpm
File outdated by:  RHSA-2014:0011
    MD5: ad01ec953f4e5ff69054bacbd656c302
SHA-256: 27c2d03a6834b3390605839556516317ce70f691a9885d5a667368fe6b6538f0
ruby193-ruby-devel-1.9.3.448-40.el6.x86_64.rpm
File outdated by:  RHSA-2014:0011
    MD5: 22aae0729e6b7dac3622323675fb9d90
SHA-256: db4f8fe512e4ceacfad13b31d9d5ebe283f9fa0cba7a3fff9483e70c9c834b95
ruby193-ruby-doc-1.9.3.448-40.el6.x86_64.rpm
File outdated by:  RHSA-2014:0011
    MD5: 68d87a69999237a1c2ac9c2219bbbb8e
SHA-256: 36156d4e866aaf525d2a855c6600b2c00563096aca342babd4f413e3a91ef0a2
ruby193-ruby-irb-1.9.3.448-40.el6.noarch.rpm
File outdated by:  RHSA-2014:0011
    MD5: a08f4216740ade64760fda1d2cd3f064
SHA-256: f6ff8b44d8a1d85a8ab08a0c8a4a34ad02145840ed1dca8994a929362018903b
ruby193-ruby-libs-1.9.3.448-40.el6.x86_64.rpm
File outdated by:  RHSA-2014:0011
    MD5: 498e1aa6bff8a736c757e05986d69a5b
SHA-256: 040ef917a4f09e7da76d36422cadc9bc780137e219b3ca3cae93af6d6cb48cb4
ruby193-ruby-tcltk-1.9.3.448-40.el6.x86_64.rpm
File outdated by:  RHSA-2014:0011
    MD5: 8d3bfbd9ea3eec45fb8aa185aee9d570
SHA-256: b5b8ca4a7374b4ce93f7df90985e347201e578173ccd08f89c7ab9174da4c9e2
ruby193-rubygem-bigdecimal-1.1.0-40.el6.x86_64.rpm
File outdated by:  RHSA-2014:0011
    MD5: f90e522f701343d405a18f135f3b0df9
SHA-256: 2561679dc5f0646c2d2e62788a8c9c5fbc75b71994b979fe3dd313a2fa706b0d
ruby193-rubygem-io-console-0.3-40.el6.x86_64.rpm
File outdated by:  RHSA-2014:0011
    MD5: ebf7d3e951613ee0a8c553d7a5de9a32
SHA-256: 14c2814ba8c24b7c3870401b3e138a6c308578a8fbf4ca75fb01f75932b1eacd
ruby193-rubygem-json-1.5.5-40.el6.x86_64.rpm
File outdated by:  RHSA-2014:0011
    MD5: 68020b48b5468e6b2ed8e843ffb3ea6f
SHA-256: d323a015657c0509ed657b944b00c6ecee9af40403bedb29aa8219b8faef760d
ruby193-rubygem-minitest-2.5.1-40.el6.noarch.rpm
File outdated by:  RHSA-2014:0011
    MD5: e23f0cc2532af04cd665194fa06ef37a
SHA-256: 8785a2a512ed0f7a2c52f35d9529365b81759ce19e8f2ae61ee5264b4cf3b948
ruby193-rubygem-rake-0.9.2.2-40.el6.noarch.rpm
File outdated by:  RHSA-2014:0011
    MD5: d2de962b144e23b4059a2d3176afa652
SHA-256: b3e74fe011b2e230fb3e59a265968d850189d83893f2ec29afbac5146b706eb3
ruby193-rubygems-1.8.24-9.el6ost.noarch.rpm     MD5: 87755e878c4934ac2a7f587f3e96fad0
SHA-256: 56febb229fd2de67596df75096214f4374dad38327f01554f02dd40ba3a47c74
ruby193-rubygems-devel-1.8.24-9.el6ost.noarch.rpm     MD5: 0aafcbb88e2cdae0c981dcd31bc5d1b0
SHA-256: 763d3e5895404ded047fa2546b0d58e617d93ecb293166877d146e64706306b4
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1002364 - CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/