(RHSA-2013:0701) Moderate: ruby193-ruby, rubygem-json and rubygem-rdoc security update


Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw in rubygem-json and ruby193-rubygem-json allowed remote attacks by creating different types of malicious objects. For example, it could initiate a denial of service attack through resource consumption by using a JSON document to create arbitrary Ruby symbols, which were never garbage collected. It could also be exploited to create internal objects which could allow a SQL injection attack. (CVE-2013-0269) It was found that documentation created by rubygem-rdoc and ruby193-rubygem-rdoc was vulnerable to a cross-site scripting (XSS) attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's session. As rubygem-rdoc and ruby193-rubygem-rdoc are used for creating documentation for Ruby source files (such as classes, modules, and so on), it is not a common scenario to make such documentation accessible over the network. (CVE-2013-0256) Red Hat would like to thank Ruby on Rails upstream for reporting CVE-2013-0269, and Eric Hodel of RDoc upstream for reporting CVE-2013-0256. Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the original reporters of CVE-2013-0269, and Evgeny Ermakov as the original reporter of CVE-2013-0256. Users of Red Hat OpenShift Enterprise 1.1.3 are advised to upgrade to these updated packages, which correct these issues.

Affected Package

OS OS Version Package Name Package Version
RedHat 6 rubygem-json-debuginfo 1.7.3-2.el6op
RedHat 6 ruby193-rubygem-io-console 0.3-28.el6
RedHat 6 ruby193-rubygem-rdoc 3.9.4-28.el6
RedHat 6 ruby193-ruby-devel
RedHat 6 ruby193-rubygems-devel 1.8.23-28.el6
RedHat 6 rubygem-rdoc 3.8-9.el6op
RedHat 6 rubygem-json-doc 1.7.3-2.el6op
RedHat 6 rubygem-json 1.7.3-2.el6op
RedHat 6 ruby193-ruby-debuginfo
RedHat 6 ruby193-rubygem-rake
RedHat 6 rubygem-rdoc-doc 3.8-9.el6op
RedHat 6 ruby193-ruby-doc
RedHat 6 ruby193-ruby-irb
RedHat 6 ruby193-rubygems 1.8.23-28.el6
RedHat 6 ruby193-rubygem-minitest 2.5.1-28.el6
RedHat 6 ruby193-rubygem-bigdecimal 1.1.0-28.el6
RedHat 6 rubygem-rdoc 3.8-9.el6op
RedHat 6 ruby193-ruby-libs
RedHat 6 ruby193-ruby
RedHat 6 ruby193-rubygem-json 1.5.4-28.el6
RedHat 6 rubygem-json 1.7.3-2.el6op
RedHat 6 ruby193-ruby-tcltk
RedHat 6 ruby193-ruby