| Description: | Description:
The remote host is missing an update to ruby
announced via advisory MDVSA-2008:226.
A denial of service condition was found in Ruby's regular expression
engine. If a Ruby script tried to process a large amount of data
via a regular expression, it could cause Ruby to enter an infinite
loop and crash (CVE-2008-3443).
A number of flaws were found in Ruby that could allow an attacker to
create a carefully crafted script that could allow for the bypass of
certain safe-level restrictions (CVE-2008-3655).
A denial of service vulnerability was found in Ruby's HTTP server
toolkit, WEBrick. A remote attacker could send a specially-crafted
HTTP request to a WEBrick server that would cause it to use an
excessive amount of CPU time (CVE-2008-3656).
An insufficient taintness check issue was found in Ruby's DL module,
a module that provides direct access to the C language functions.
This flaw could be used by an attacker to bypass intended safe-level
restrictions by calling external C functions with the arguments from
an untrusted tainted input (CVE-2008-3657).
A denial of service condition in Ruby's XML document parsing module
(REXML) could cause a Ruby application using the REXML module to use
an excessive amount of CPU and memory via XML documents with large
XML entitity definitions recursion (CVE-2008-3790).
The Ruby DNS resolver library used predictable transaction IDs and
a fixed source port when sending DNS requests. This could be used
by a remote attacker to spoof a malicious reply to a DNS query
(CVE-2008-3905).
The updated packages have been patched to correct these issues.
Affected: 2008.0, 2008.1, Corporate 3.0, Corporate 4.0
Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2008:226
Risk factor : High
CVSS Score:
7.8
|
