CentOS Errata and Security Advisory CESA-2008:0896
Ruby is an interpreted scripting language for quick and easy object-oriented programming.
The Ruby DNS resolver library, resolv.rb, used predictable transaction IDs and a fixed source port when sending DNS requests. A remote attacker could use this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905)
A number of flaws were found in the safe-level restrictions in Ruby. It was possible for an attacker to create a carefully crafted malicious script that can allow the bypass of certain safe-level restrictions. (CVE-2008-3655)
A denial of service flaw was found in Ruby's regular expression engine. If a Ruby script tried to process a large amount of data via a regular expression, it could cause Ruby to enter an infinite-loop and crash. (CVE-2008-3443)
Users of ruby should upgrade to these updated packages, which contain backported patches to resolve these issues.
Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2008-October/027370.html http://lists.centos.org/pipermail/centos-announce/2008-October/027371.html http://lists.centos.org/pipermail/centos-announce/2008-October/027381.html http://lists.centos.org/pipermail/centos-announce/2008-October/027385.html
Affected packages: irb ruby ruby-devel ruby-docs ruby-libs ruby-mode ruby-tcltk
Upstream details at: https://rhn.redhat.com/errata/RHSA-2008-0896.html