Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-691-1.NASL
HistoryApr 23, 2009 - 12:00 a.m.

Ubuntu 8.10 : ruby1.9 vulnerability (USN-691-1)

2009-04-2300:00:00
Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
14
JSON

Laurent Gaffie discovered that Ruby did not properly check for memory allocation failures. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service. (CVE-2008-3443)

This update also fixes a regression in the upstream patch previously applied to fix CVE-2008-3790. The regression would cause parsing of some XML documents to fail.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-691-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(37474);
  script_version("1.16");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2008-3443", "CVE-2008-3790");
  script_bugtraq_id(30682, 30802);
  script_xref(name:"USN", value:"691-1");

  script_name(english:"Ubuntu 8.10 : ruby1.9 vulnerability (USN-691-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Laurent Gaffie discovered that Ruby did not properly check for memory
allocation failures. If a user or automated system were tricked into
running a malicious script, an attacker could cause a denial of
service. (CVE-2008-3443)

This update also fixes a regression in the upstream patch previously
applied to fix CVE-2008-3790. The regression would cause parsing of
some XML documents to fail.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/691-1/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:irb1.9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libdbm-ruby1.9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgdbm-ruby1.9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libopenssl-ruby1.9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libreadline-ruby1.9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libruby1.9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libruby1.9-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtcltk-ruby1.9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:rdoc1.9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ri1.9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby1.9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby1.9-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby1.9-elisp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby1.9-examples");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/12/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! ereg(pattern:"^(8\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 8.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"8.10", pkgname:"irb1.9", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"libdbm-ruby1.9", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"libgdbm-ruby1.9", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"libopenssl-ruby1.9", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"libreadline-ruby1.9", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"libruby1.9", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"libruby1.9-dbg", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"libtcltk-ruby1.9", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"rdoc1.9", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"ri1.9", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"ruby1.9", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"ruby1.9-dev", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"ruby1.9-elisp", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"ruby1.9-examples", pkgver:"1.9.0.2-7ubuntu1.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "irb1.9 / libdbm-ruby1.9 / libgdbm-ruby1.9 / libopenssl-ruby1.9 / etc");
}
VendorProductVersionCPE
canonicalubuntu_linuxirb1.9p-cpe:/a:canonical:ubuntu_linux:irb1.9
canonicalubuntu_linuxlibdbm-ruby1.9p-cpe:/a:canonical:ubuntu_linux:libdbm-ruby1.9
canonicalubuntu_linuxlibgdbm-ruby1.9p-cpe:/a:canonical:ubuntu_linux:libgdbm-ruby1.9
canonicalubuntu_linuxlibopenssl-ruby1.9p-cpe:/a:canonical:ubuntu_linux:libopenssl-ruby1.9
canonicalubuntu_linuxlibreadline-ruby1.9p-cpe:/a:canonical:ubuntu_linux:libreadline-ruby1.9
canonicalubuntu_linuxlibruby1.9p-cpe:/a:canonical:ubuntu_linux:libruby1.9
canonicalubuntu_linuxlibruby1.9-dbgp-cpe:/a:canonical:ubuntu_linux:libruby1.9-dbg
canonicalubuntu_linuxlibtcltk-ruby1.9p-cpe:/a:canonical:ubuntu_linux:libtcltk-ruby1.9
canonicalubuntu_linuxrdoc1.9p-cpe:/a:canonical:ubuntu_linux:rdoc1.9
canonicalubuntu_linuxri1.9p-cpe:/a:canonical:ubuntu_linux:ri1.9
Rows per page:
1-10 of 151

Related

ubuntu 2
openvas 39
prion 2
osv 3
seebug 1
ubuntucve 2
debian 3
cve 2
nessus 24
veracode 1
rubygems 1
redhat 3
oraclelinux 2
centos 3
fedora 3
suse 1
gentoo 1
securityvulns 1
ubuntu
ubuntu
Ruby vulnerability
2008-12-16 00:00:00
Ruby vulnerabilities
2008-10-10 00:00:00
openvas
openvas
Ubuntu Update for ruby1.9 vulnerability USN-691-1
2009-03-23 00:00:00
Debian Security Advisory DSA 1695-1 (ruby1.8, ruby1.9)
2009-01-07 00:00:00
Debian Security Advisory DSA 1695-1 (ruby1.8, ruby1.9)
2009-01-07 00:00:00
prion
prion
Privilege escalation
2008-08-27 20:41:00
Design/Logic Flaw
2008-08-14 23:41:00
osv
osv
ruby1.8 ruby1.9 - denial of service
2009-01-02 00:00:00
ruby1.8 - several vulnerabilities
2008-10-12 00:00:00
ruby1.9 - several vulnerabilities
2008-10-12 00:00:00
seebug
seebug
Ruby regex.cθΏœη¨‹ζ‹’η»ζœεŠ‘ζΌζ΄ž
2009-01-06 00:00:00
ubuntucve
ubuntucve
CVE-2008-3443
2008-08-14 00:00:00
CVE-2008-3790
2008-08-27 00:00:00
debian
debian
[SECURITY] [DSA 1695-1] New Ruby packages fix denial of service
2009-01-02 21:47:08
[SECURITY] [DSA 1652-1] New ruby1.9 packages fix several vulnerabilities
2008-10-12 09:37:58
[SECURITY] [DSA 1651-1] New ruby1.8 packages fix several vulnerabilities
2008-10-12 09:36:52
cve
cve
CVE-2008-3790
2008-08-27 20:41:00
CVE-2008-3443
2008-08-14 23:41:00
nessus
nessus
Debian DSA-1695-1 : ruby1.8, ruby1.9 - memory leak
2009-01-06 00:00:00
Mandriva Linux Security Advisory : ruby (MDVSA-2008:226)
2009-04-23 00:00:00
Fedora 8 : ruby-1.8.6.287-2.fc8 (2008-8736)
2008-10-10 00:00:00
veracode
veracode
Denial Of Service (DoS)
2020-04-10 00:26:04
rubygems
rubygems
CVE-2008-3790 ruby: DoS vulnerability in the REXML module
2008-08-24 20:00:00
redhat
redhat
(RHSA-2008:0897) Moderate: ruby security update
2008-10-21 00:00:00
(RHSA-2008:0895) Moderate: ruby security update
2008-10-21 00:00:00
(RHSA-2008:0896) Moderate: ruby security update
2008-10-21 00:00:00
oraclelinux
oraclelinux
ruby security update
2008-10-21 00:00:00
ruby security update
2008-10-21 00:00:00
centos
centos
irb, ruby security update
2008-10-24 00:04:31
irb, ruby security update
2008-10-22 04:31:37
irb, ruby security update
2008-10-21 16:06:28
fedora
fedora
[SECURITY] Fedora 10 Update: ruby-1.8.6.368-2.fc10
2009-12-11 18:18:17
[SECURITY] Fedora 9 Update: ruby-1.8.6.287-2.fc9
2008-10-09 21:29:45
[SECURITY] Fedora 8 Update: ruby-1.8.6.287-2.fc8
2008-10-09 21:35:31
suse
suse
remote code execution in dhcp-client
2009-07-15 16:27:03
gentoo
gentoo
Ruby: Multiple vulnerabilities
2008-12-16 00:00:00
securityvulns
securityvulns
About the security content of Security Update 2009-002 / Mac OS X v10.5.7
2009-05-14 00:00:00
JSON
Related for UBUNTU_USN-691-1.NASL
ubuntu2openvas39prion2osv3seebug1ubuntucve2debian3cve2nessus24veracode1rubygems1redhat3oraclelinux2centos3fedora3suse1gentoo1securityvulns1