Ruby-Arbitrary code execution vulnerabilities
Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.
Impact
With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code.
Vulnerable versions
- 1.8 series
-
- 1.8.4 and all prior versions
- 1.8.5-p230 and all prior versions
- 1.8.6-p229 and all prior versions
- 1.8.7-p21 and all prior versions
- 1.9 series
-
- 1.9.0-1 and all prior versions
Solution
- 1.8 series
- Please upgrade to 1.8.5-p231, or 1.8.6-p230, or 1.8.7-p22.
- 1.9 series
- Please upgrade to 1.9.0-2.
These versions also fix the vulnerability of WEBrick (CVE-2008-1891).
Please note that a package that corrects this weakness may already be available through your package management software.
Credit
Credit to Drew Yao of Apple Product Security for disclosing the problem to Ruby Security Team.
Changes
- 2008-06-21 00:29 +09:00 removed wrong CVE IDs (CVE-2008-2727, CVE-2008-2728).
[Source:Ruby-lang]
Post a Comment