Test ID:	1.3.6.1.4.1.25623.1.0.66843
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-900-1 (ruby1.9)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to ruby1.9 announced via advisory USN-900-1. Details follow: Emmanouel Kellinis discovered that Ruby did not properly handle certain string operations. An attacker could exploit this issue and possibly execute arbitrary code with application privileges. (CVE-2009-4124) Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that Ruby did not properly sanitize data written to log files. An attacker could insert specially-crafted data into log files which could affect certain terminal emulators and cause arbitrary files to be overwritten, or even possibly execute arbitrary commands. (CVE-2009-4492) It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service. This issue only affected Ubuntu 9.10. (CVE-2009-1904) Solution: The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: libruby1.9 1.9.0.2-7ubuntu1.3 ruby1.9 1.9.0.2-7ubuntu1.3 Ubuntu 9.04: libruby1.9 1.9.0.2-9ubuntu1.2 ruby1.9 1.9.0.2-9ubuntu1.2 Ubuntu 9.10: libruby1.9 1.9.0.5-1ubuntu1.2 ruby1.9 1.9.0.5-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. http://www.securityspace.com/smysecure/catid.html?in=USN-900-1 Risk factor : Critical CVSS Score: 10.0
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-1904 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html BugTraq ID: 35278 http://www.securityfocus.com/bid/35278 https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00731.html http://security.gentoo.org/glsa/glsa-200906-02.xml http://www.mandriva.com/security/advisories?name=MDVSA-2009:160 http://mail-index.netbsd.org/pkgsrc-changes/2009/06/10/msg024708.html http://groups.google.com/group/rubyonrails-security/msg/fad60751e2b9b4f6?dmode=source http://osvdb.org/55031 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9780 http://www.redhat.com/support/errata/RHSA-2009-1140.html http://www.securitytracker.com/id?1022371 http://secunia.com/advisories/35399 http://secunia.com/advisories/35527 http://secunia.com/advisories/35593 http://secunia.com/advisories/35699 http://secunia.com/advisories/35937 http://secunia.com/advisories/37705 http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.430805 http://www.ubuntu.com/usn/USN-805-1 http://www.vupen.com/english/advisories/2009/1563 XForce ISS Database: ruby-bigdecimal-dos(51032) https://exchange.xforce.ibmcloud.com/vulnerabilities/51032 Common Vulnerability Exposure (CVE) ID: CVE-2009-4124 BugTraq ID: 37278 http://www.securityfocus.com/bid/37278 http://www.osvdb.org/60880 http://secunia.com/advisories/37660 http://www.vupen.com/english/advisories/2009/3471 XForce ISS Database: ruby-rbstrjustify-bo(54674) https://exchange.xforce.ibmcloud.com/vulnerabilities/54674 Common Vulnerability Exposure (CVE) ID: CVE-2009-4492 BugTraq ID: 37710 http://www.securityfocus.com/bid/37710 Bugtraq: 20100110 Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection (Google Search) http://www.securityfocus.com/archive/1/508830/100/0/threaded http://www.ush.it/team/ush/hack_httpd_escape/adv.txt http://www.redhat.com/support/errata/RHSA-2011-0908.html http://www.redhat.com/support/errata/RHSA-2011-0909.html http://securitytracker.com/id?1023429 http://secunia.com/advisories/37949 http://www.vupen.com/english/advisories/2010/0089
Copyright	Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.