ID de Prueba:	1.3.6.1.4.1.25623.1.0.120557
Categoría:	Amazon Linux Local Security Checks
Título:	Amazon Linux: Security Advisory (ALAS-2013-173)
Resumen:	The remote host is missing an update for the 'ruby' package(s) announced via the ALAS-2013-173 advisory.
Descripción:	Summary: The remote host is missing an update for the 'ruby' package(s) announced via the ALAS-2013-173 advisory. Vulnerability Insight: It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821) It was found that the RHSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481) The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. (CVE-2011-1005) Affected Software/OS: 'ruby' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2011-1005 43420 http://secunia.com/advisories/43420 43573 http://secunia.com/advisories/43573 46458 http://www.securityfocus.com/bid/46458 70957 http://osvdb.org/70957 ADV-2011-0539 http://www.vupen.com/english/advisories/2011/0539 APPLE-SA-2012-05-09-1 http://lists.apple.com/archives/security-announce/2012/May/msg00001.html FEDORA-2011-1876 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054422.html FEDORA-2011-1913 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054436.html MDVSA-2011:097 http://www.mandriva.com/security/advisories?name=MDVSA-2011:097 MDVSA-2011:098 http://www.mandriva.com/security/advisories?name=MDVSA-2011:098 RHSA-2011:0908 http://www.redhat.com/support/errata/RHSA-2011-0908.html RHSA-2011:0909 http://www.redhat.com/support/errata/RHSA-2011-0909.html RHSA-2011:0910 http://www.redhat.com/support/errata/RHSA-2011-0910.html [oss-security] 20110221 CVE request: ruby: FileUtils is vulnerable to symlink race attacks + Exception methods can bypass $SAFE http://www.openwall.com/lists/oss-security/2011/02/21/2 [oss-security] 20110221 Re: CVE request: ruby: FileUtils is vulnerable to symlink race attacks + Exception methods can bypass $SAFE http://www.openwall.com/lists/oss-security/2011/02/21/5 http://support.apple.com/kb/HT5281 http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/ https://bugzilla.redhat.com/show_bug.cgi?id=678920 Common Vulnerability Exposure (CVE) ID: CVE-2012-4481 MDVSA-2013:124 http://www.mandriva.com/security/advisories?name=MDVSA-2013:124 RHSA-2013:0129 http://rhn.redhat.com/errata/RHSA-2013-0129.html RHSA-2013:0612 http://rhn.redhat.com/errata/RHSA-2013-0612.html [oss-security] 20121005 Re: CVE Request -- ruby (1.8.x with patched CVE-2011-1005): Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects http://www.openwall.com/lists/oss-security/2012/10/05/4 https://bugzilla.redhat.com/show_bug.cgi?id=863484 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0294 Common Vulnerability Exposure (CVE) ID: CVE-2013-1821 BugTraq ID: 58141 http://www.securityfocus.com/bid/58141 Debian Security Information: DSA-2738 (Google Search) http://www.debian.org/security/2013/dsa-2738 Debian Security Information: DSA-2809 (Google Search) http://www.debian.org/security/2013/dsa-2809 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702525 https://bugzilla.redhat.com/show_bug.cgi?id=914716 http://www.openwall.com/lists/oss-security/2013/03/06/5 RedHat Security Advisories: RHSA-2013:0611 http://rhn.redhat.com/errata/RHSA-2013-0611.html RedHat Security Advisories: RHSA-2013:0612 RedHat Security Advisories: RHSA-2013:1028 http://rhn.redhat.com/errata/RHSA-2013-1028.html RedHat Security Advisories: RHSA-2013:1147 http://rhn.redhat.com/errata/RHSA-2013-1147.html http://secunia.com/advisories/52783 http://secunia.com/advisories/52902 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862 SuSE Security Announcement: SUSE-SU-2013:0609 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html SuSE Security Announcement: SUSE-SU-2013:0647 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html SuSE Security Announcement: openSUSE-SU-2013:0603 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html SuSE Security Announcement: openSUSE-SU-2013:0614 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-04/msg00036.html http://www.ubuntu.com/usn/USN-1780-1
Copyright	Copyright (C) 2015 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.