Test ID:	1.3.6.1.4.1.25623.1.0.58721
Category:	Red Hat Local Security Checks
Title:	RedHat Security Advisory RHSA-2007:0961
Summary:	NOSUMMARY
Description:	Description: The remote host is missing updates announced in advisory RHSA-2007:0961. Ruby is an interpreted scripting language for object-oriented programming. A flaw was discovered in the way Ruby's CGI module handles certain HTTP requests. If a remote attacker sends a specially crafted request, it is possible to cause the ruby CGI script to enter an infinite loop, possibly causing a denial of service. (CVE-2006-6303) An SSL certificate validation flaw was discovered in several Ruby Net modules. The libraries were not checking the requested host name against the common name (CN) in the SSL server certificate, possibly allowing a man in the middle attack. (CVE-2007-5162, CVE-2007-5770) Users of Ruby should upgrade to these updated packages, which contain backported patches to resolve these issues. Solution: Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date http://rhn.redhat.com/errata/RHSA-2007-0961.html http://www.redhat.com/security/updates/classification/#moderate Risk factor : Medium CVSS Score: 5.0
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2006-6303 http://lists.apple.com/archives/security-announce/2007/May/msg00004.html BugTraq ID: 21441 http://www.securityfocus.com/bid/21441 http://security.gentoo.org/glsa/glsa-200612-21.xml http://jvn.jp/jp/JVN%2384798830/index.html http://www.mandriva.com/security/advisories?name=MDKSA-2006:225 http://bugs.gentoo.org/show_bug.cgi?id=157048 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218287 http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb.diff?f=h&only_with_tag=MAIN&r1=text&tr1=1.92&r2=text&tr2=1.91 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10529 http://www.redhat.com/support/errata/RHSA-2007-0961.html http://securitytracker.com/id?1017363 http://secunia.com/advisories/23165 http://secunia.com/advisories/23268 http://secunia.com/advisories/23454 http://secunia.com/advisories/25402 http://secunia.com/advisories/27576 http://secunia.com/advisories/31090 SuSE Security Announcement: SUSE-SR:2007:004 (Google Search) http://www.novell.com/linux/security/advisories/2007_4_sr.html http://www.ubuntu.com/usn/usn-394-1 http://www.vupen.com/english/advisories/2006/4855 http://www.vupen.com/english/advisories/2007/1939 XForce ISS Database: ruby-cgi-library-dos(30734) https://exchange.xforce.ibmcloud.com/vulnerabilities/30734 Common Vulnerability Exposure (CVE) ID: CVE-2007-5162 BugTraq ID: 25847 http://www.securityfocus.com/bid/25847 Bugtraq: 20070927 Ruby Net::HTTPS library does not validate server certificate CN (Google Search) http://www.securityfocus.com/archive/1/480987/100/0/threaded Bugtraq: 20071112 FLEA-2007-0068-1 ruby (Google Search) http://www.securityfocus.com/archive/1/483577/100/0/threaded Debian Security Information: DSA-1410 (Google Search) http://www.debian.org/security/2007/dsa-1410 Debian Security Information: DSA-1411 (Google Search) http://www.debian.org/security/2007/dsa-1411 Debian Security Information: DSA-1412 (Google Search) http://www.debian.org/security/2007/dsa-1412 https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00097.html https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00391.html https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00087.html http://www.mandriva.com/security/advisories?name=MDVSA-2008:029 http://www.isecpartners.com/advisories/2007-006-rubyssl.txt https://bugzilla.redhat.com/show_bug.cgi?id=313791 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10738 http://www.redhat.com/support/errata/RHSA-2007-0965.html http://secunia.com/advisories/26985 http://secunia.com/advisories/27044 http://secunia.com/advisories/27432 http://secunia.com/advisories/27673 http://secunia.com/advisories/27756 http://secunia.com/advisories/27764 http://secunia.com/advisories/27769 http://secunia.com/advisories/27818 http://secunia.com/advisories/28645 http://secunia.com/advisories/29556 http://securityreason.com/securityalert/3180 SuSE Security Announcement: SUSE-SR:2007:024 (Google Search) http://www.novell.com/linux/security/advisories/2007_24_sr.html http://www.ubuntu.com/usn/usn-596-1 http://www.vupen.com/english/advisories/2007/3340 XForce ISS Database: ruby-nethttps-mitm(36861) https://exchange.xforce.ibmcloud.com/vulnerabilities/36861 Common Vulnerability Exposure (CVE) ID: CVE-2007-5770 1018938 http://www.securitytracker.com/id?1018938 26421 http://www.securityfocus.com/bid/26421 26985 27576 27673 27756 27764 27769 27818 28136 http://secunia.com/advisories/28136 28645 29556 ADV-2007-4238 http://www.vupen.com/english/advisories/2007/4238 APPLE-SA-2007-12-17 http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html DSA-1410 DSA-1411 DSA-1412 MDVSA-2008:029 RHSA-2007:0961 RHSA-2007:0965 SUSE-SR:2007:024 TA07-352A http://www.us-cert.gov/cas/techalerts/TA07-352A.html USN-596-1 http://docs.info.apple.com/article.html?artnum=307179 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656 https://bugzilla.redhat.com/show_bug.cgi?id=362081 oval:org.mitre.oval:def:11025 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11025
Copyright	Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.