Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.61719
Category:Red Hat Local Security Checks
Title:RedHat Security Advisory RHSA-2008:0897
Summary:NOSUMMARY
Description:Description:

The remote host is missing updates announced in
advisory RHSA-2008:0897.

Ruby is an interpreted scripting language for quick and easy
object-oriented programming.

The Ruby DNS resolver library, resolv.rb, used predictable transaction IDs
and a fixed source port when sending DNS requests. A remote attacker could
use this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905)

Ruby's XML document parsing module (REXML) was prone to a denial of service
attack via XML documents with large XML entity definitions recursion. A
specially-crafted XML file could cause a Ruby application using the REXML
module to use an excessive amount of CPU and memory. (CVE-2008-3790)

An insufficient taintness check flaw was discovered in Ruby's DL module,
which provides direct access to the C language functions. An attacker could
use this flaw to bypass intended safe-level restrictions by calling
external C functions with the arguments from an untrusted tainted inputs.
(CVE-2008-3657)

A denial of service flaw was discovered in WEBrick, Ruby's HTTP server
toolkit. A remote attacker could send a specially-crafted HTTP request to a
WEBrick server that would cause the server to use an excessive amount of
CPU time. (CVE-2008-3656)

A number of flaws were found in the safe-level restrictions in Ruby. It
was possible for an attacker to create a carefully crafted malicious script
that can allow the bypass of certain safe-level restrictions. (CVE-2008-3655)

A denial of service flaw was found in Ruby's regular expression engine. If
a Ruby script tried to process a large amount of data via a regular
expression, it could cause Ruby to enter an infinite-loop and crash.
(CVE-2008-3443)

Users of ruby should upgrade to these updated packages, which contain
backported patches to resolve these issues.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2008-0897.html
http://www.redhat.com/security/updates/classification/#moderate

Risk factor : High

CVSS Score:
7.8

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2008-3443
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
BugTraq ID: 30682
http://www.securityfocus.com/bid/30682
Cert/CC Advisory: TA09-133A
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
Debian Security Information: DSA-1695 (Google Search)
http://www.debian.org/security/2009/dsa-1695
https://www.exploit-db.com/exploits/6239
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00299.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00259.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9570
http://www.redhat.com/support/errata/RHSA-2008-0895.html
http://www.redhat.com/support/errata/RHSA-2008-0897.html
http://www.securitytracker.com/id?1021075
http://secunia.com/advisories/31430
http://secunia.com/advisories/32165
http://secunia.com/advisories/32219
http://secunia.com/advisories/32371
http://secunia.com/advisories/32372
http://secunia.com/advisories/33185
http://secunia.com/advisories/33398
http://secunia.com/advisories/35074
http://securityreason.com/securityalert/4158
https://usn.ubuntu.com/651-1/
https://usn.ubuntu.com/691-1/
http://www.vupen.com/english/advisories/2009/1297
XForce ISS Database: ruby-regex-dos(44688)
https://exchange.xforce.ibmcloud.com/vulnerabilities/44688
Common Vulnerability Exposure (CVE) ID: CVE-2008-3655
BugTraq ID: 30644
http://www.securityfocus.com/bid/30644
Bugtraq: 20080831 rPSA-2008-0264-1 ruby (Google Search)
http://www.securityfocus.com/archive/1/495884/100/0/threaded
Debian Security Information: DSA-1651 (Google Search)
http://www.debian.org/security/2008/dsa-1651
Debian Security Information: DSA-1652 (Google Search)
http://www.debian.org/security/2008/dsa-1652
http://security.gentoo.org/glsa/glsa-200812-17.xml
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11602
http://www.securitytracker.com/id?1020656
http://secunia.com/advisories/31697
http://secunia.com/advisories/32255
http://secunia.com/advisories/32256
http://secunia.com/advisories/33178
http://www.vupen.com/english/advisories/2008/2334
XForce ISS Database: ruby-safelevel-security-bypass(44369)
https://exchange.xforce.ibmcloud.com/vulnerabilities/44369
Common Vulnerability Exposure (CVE) ID: CVE-2008-3656
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9682
http://www.securitytracker.com/id?1020654
XForce ISS Database: ruby-webrick-dos(44371)
https://exchange.xforce.ibmcloud.com/vulnerabilities/44371
Common Vulnerability Exposure (CVE) ID: CVE-2008-3657
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9793
http://www.securitytracker.com/id?1020652
XForce ISS Database: ruby-dl-security-bypass(44372)
https://exchange.xforce.ibmcloud.com/vulnerabilities/44372
Common Vulnerability Exposure (CVE) ID: CVE-2008-3790
BugTraq ID: 30802
http://www.securityfocus.com/bid/30802
http://groups.google.com/group/comp.lang.ruby/browse_thread/thread/19f69e8a081fc0d1/e138e014b74352ca
http://www.openwall.com/lists/oss-security/2008/08/25/4
http://www.openwall.com/lists/oss-security/2008/08/26/1
http://www.openwall.com/lists/oss-security/2008/08/26/4
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10393
http://www.securitytracker.com/id?1020735
http://secunia.com/advisories/31602
http://www.vupen.com/english/advisories/2008/2428
http://www.vupen.com/english/advisories/2008/2483
XForce ISS Database: ruby-rexml-dos(44628)
https://exchange.xforce.ibmcloud.com/vulnerabilities/44628
Common Vulnerability Exposure (CVE) ID: CVE-2008-3905
BugTraq ID: 31699
http://www.securityfocus.com/bid/31699
http://www.openwall.com/lists/oss-security/2008/09/03/3
http://www.openwall.com/lists/oss-security/2008/09/04/9
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10034
http://secunia.com/advisories/32948
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.371754
XForce ISS Database: ruby-resolv-dns-spoofing(45935)
https://exchange.xforce.ibmcloud.com/vulnerabilities/45935
CopyrightCopyright (c) 2008 E-Soft Inc. http://www.securityspace.com

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.