It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821 __)
It was found that the RHSA-2011-0910 __ update did not correctly fix the CVE-2011-1005 __ issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481 __)
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. (CVE-2011-1005 __)
Run yum update ruby to update your system.
i686: ruby-ri-126.96.36.1991-2.25.amzn1.i686 ruby-188.8.131.521-2.25.amzn1.i686 ruby-devel-184.108.40.2061-2.25.amzn1.i686 ruby-libs-220.127.116.111-2.25.amzn1.i686 ruby-static-18.104.22.1681-2.25.amzn1.i686 ruby-debuginfo-22.214.171.1241-2.25.amzn1.i686 noarch: ruby-irb-126.96.36.1991-2.25.amzn1.noarch ruby-rdoc-188.8.131.521-2.25.amzn1.noarch src: ruby-184.108.40.2061-2.25.amzn1.src x86_64: ruby-ri-220.127.116.111-2.25.amzn1.x86_64 ruby-libs-18.104.22.1681-2.25.amzn1.x86_64 ruby-static-22.214.171.1241-2.25.amzn1.x86_64 ruby-126.96.36.1991-2.25.amzn1.x86_64 ruby-devel-188.8.131.521-2.25.amzn1.x86_64 ruby-debuginfo-184.108.40.2061-2.25.amzn1.x86_64