Lucene search

K
debianDebianDEBIAN:DLA-263-1:BBAC7
HistoryJul 01, 2015 - 10:09 a.m.

[SECURITY] [DLA 263-1] ruby1.9.1 security update

2015-07-0110:09:26
lists.debian.org
27

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

AI Score

7.9

Confidence

High

EPSS

0.02

Percentile

88.9%

Package : ruby1.9.1
Version : 1.9.2.0-2+deb6u5
CVE ID : CVE-2012-5371 CVE-2013-0269
Debian Bug : 693024 700471

Two vulnerabilities were identified in the Ruby language interpreter,
version 1.9.1.

CVE-2012-5371

Jean-Philippe Aumasson identified that Ruby computed hash values
without properly restricting the ability to trigger hash collisions
predictably, allowing context-dependent attackers to cause a denial
of service (CPU consumption). This is a different vulnerability than
CVE-2011-4815.

CVE-2013-0269

Thomas Hollstegge and Ben Murphy found that the JSON gem for Ruby
allowed remote attackers to cause a denial of service (resource
consumption) or bypass the mass assignment protection mechanism via
a crafted JSON document that triggers the creation of arbitrary Ruby
symbols or certain internal objects.

For the squeeze distribution, theses vulnerabilities have been fixed in
version 1.9.2.0-2+deb6u5 of ruby1.9.1. We recommend that you upgrade
your ruby1.9.1 package.
Attachment:
signature.asc
Description: Digital signature

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

AI Score

7.9

Confidence

High

EPSS

0.02

Percentile

88.9%