[SECURITY] [DLA 235-1] ruby1.9.1 security update

Package : ruby1.9.1
Version : 1.9.2.0-2+deb6u4
CVE ID : CVE-2011-0188 CVE-2011-2705 CVE-2012-4522 CVE-2013-0256
CVE-2013-2065 CVE-2015-1855

CVE-2011-0188
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7
and other platforms, does not properly allocate memory, which allows
context-dependent attackers to execute arbitrary code or cause a
denial of service (application crash) via vectors involving creation
of a large BigDecimal value within a 64-bit process, related to an
"integer truncation issue."

CVE-2011-2705
use upstream SVN r32050 to modify PRNG state to prevent random number
sequence repeatation at forked child process which has same pid.
Reported by Eric Wong.

CVE-2012-4522
The rb_get_path_check function in file.c in Ruby 1.9.3 before
patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent
attackers to create files in unexpected locations or with unexpected
names via a NUL byte in a file path.

CVE-2013-0256
darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before
4.0.0.preview2.1, as used in Ruby, does not properly generate
documents, which allows remote attackers to conduct cross-site
scripting (XSS) attacks via a crafted URL.

CVE-2013-2065
(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426,
and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for
native functions, which allows context-dependent attackers to bypass
intended $SAFE level restrictions.

CVE-2015-1855
OpenSSL extension hostname matching implementation violates RFC 6125