Executive Summary
Summary | |
---|---|
Title | ruby1.9.1 security update |
Informations | |||
---|---|---|---|
Name | DSA-2738 | First vendor Publication | 2013-08-18 |
Vendor | Debian | Last vendor Modification | 2013-08-18 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1821 Ben Murphy discovered that unrestricted entity expansion in REXML can lead to a Denial of Service by consuming all host memory. CVE-2013-4073 William (B.J.) Snow Orvis discovered a vulnerability in the hostname checking in Ruby's SSL client that could allow man-in-the-middle attackers to spoof SSL servers via valid certificate issued by a trusted certification authority. For the oldstable distribution (squeeze), these problems have been fixed in version 1.9.2.0-2+deb6u1. For the stable distribution (wheezy), these problems have been fixed in version 1.9.3.194-8.1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.9.3.194-8.2. We recommend that you upgrade your ruby1.9.1 packages. |
Original Source
Url : http://www.debian.org/security/2013/dsa-2738 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-310 | Cryptographic Issues |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17395 | |||
Oval ID: | oval:org.mitre.oval:def:17395 | ||
Title: | USN-1780-1 -- Ruby vulnerability | ||
Description: | Ruby could be made to hang if it received specially crafted input. | ||
Family: | unix | Class: | patch |
Reference(s): | usn-1780-1 CVE-2013-1821 | Version: | 9 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 | Product(s): | ruby1.8 ruby1.9.1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18009 | |||
Oval ID: | oval:org.mitre.oval:def:18009 | ||
Title: | USN-1902-1 -- ruby1.8, ruby1.9.1 vulnerability | ||
Description: | An attacker could trick Ruby into trusting a rogue server. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1902-1 CVE-2013-4073 | Version: | 7 |
Platform(s): | Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | ruby1.8 ruby1.9.1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18691 | |||
Oval ID: | oval:org.mitre.oval:def:18691 | ||
Title: | DSA-2738-1 ruby1.9.1 - several | ||
Description: | Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2738-1 CVE-2013-1821 CVE-2013-4073 | Version: | 8 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | ruby1.9.1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20593 | |||
Oval ID: | oval:org.mitre.oval:def:20593 | ||
Title: | RHSA-2013:0612: ruby security update (Moderate) | ||
Description: | lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:0612-01 CESA-2013:0612 CVE-2012-4481 CVE-2013-1821 | Version: | 31 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20774 | |||
Oval ID: | oval:org.mitre.oval:def:20774 | ||
Title: | RHSA-2013:0611: ruby security update (Moderate) | ||
Description: | lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:0611-00 CESA-2013:0611 CVE-2013-1821 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21171 | |||
Oval ID: | oval:org.mitre.oval:def:21171 | ||
Title: | RHSA-2013:1090: ruby security update (Moderate) | ||
Description: | The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1090-00 CESA-2013:1090 CVE-2013-4073 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23161 | |||
Oval ID: | oval:org.mitre.oval:def:23161 | ||
Title: | ELSA-2013:0611: ruby security update (Moderate) | ||
Description: | lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:0611-00 CVE-2013-1821 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24992 | |||
Oval ID: | oval:org.mitre.oval:def:24992 | ||
Title: | SUSE-SU-2014:0689-1 -- Security update for Ruby | ||
Description: | This Ruby update fixes the following security issue: * bnc#808137: Fixed entity expansion DoS vulnerability in REXML (CVE-2013-1821). Security Issue reference: * CVE-2013-1821 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821> | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0689-1 CVE-2013-1821 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | Ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25425 | |||
Oval ID: | oval:org.mitre.oval:def:25425 | ||
Title: | SUSE-SU-2014:0337-1 -- Security update for python | ||
Description: | This update for Python fixes the following security issues: * bnc#834601: SSL module does not handle certificates that contain hostnames with NULL bytes. (CVE-2013-4238) * bnc#856836: Various stdlib read flaws. (CVE-2013-1752) Additionally, the following non-security issues have been fixed: * bnc#859068: Turn off OpenSSL's aggressive optimizations that conflict with Python's GC. * bnc#847135: Setting fips=1 at boot time causes problems with Python due to MD5 usage. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0337-1 CVE-2013-4238 CVE-2013-1752 CVE-2013-4073 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | python |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25752 | |||
Oval ID: | oval:org.mitre.oval:def:25752 | ||
Title: | SUSE-SU-2013:1260-3 -- Security update for ruby | ||
Description: | Ruby failed to check hostnames correctly when setting up a SSL client connection. CVE-2013-4073 was assigned to this issue. Security Issue reference: * CVE-2013-4073 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1260-3 CVE-2013-4073 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25855 | |||
Oval ID: | oval:org.mitre.oval:def:25855 | ||
Title: | SUSE-SU-2013:1260-2 -- Security update for ruby | ||
Description: | Ruby failed to check hostnames correctly when setting up a SSL client connection. CVE-2013-4073 was assigned to this issue. Security Issues: * CVE-2013-4073 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1260-2 CVE-2013-4073 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Desktop 10 | Product(s): | ruby |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26038 | |||
Oval ID: | oval:org.mitre.oval:def:26038 | ||
Title: | SUSE-SU-2014:0843-1 -- Security update for ruby | ||
Description: | Ruby received an LTSS roll-up update to fix the following security issues. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0843-1 CVE-2013-1821 CVE-2013-4164 CVE-2013-4073 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | ruby |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26239 | |||
Oval ID: | oval:org.mitre.oval:def:26239 | ||
Title: | SUSE-SU-2014:0844-1 -- Security update for ruby | ||
Description: | Ruby received an LTSS roll-up update to fix the following security issues. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0844-1 CVE-2012-4481 CVE-2013-1821 CVE-2013-4164 CVE-2013-4073 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | ruby |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26833 | |||
Oval ID: | oval:org.mitre.oval:def:26833 | ||
Title: | DEPRECATED: ELSA-2013-0612 -- ruby security update (moderate) | ||
Description: | [1.8.7.352-10] - escaping vulnerability about Exception#to_s / NameError#to_s * ruby-1.8.7-p371-CVE-2012-4481.patch - Related: rhbz#915379 [1.8.7.352-9] - Fix regression introduced by fix for entity expansion DOS vulnerability in REXML (https://bugs.ruby-lang.org/issues/7961) * ruby-2.0.0-add-missing-rexml-require.patch - Related: rhbz#915379 [1.8.7.352-8] - Addresses entity expansion DoS vulnerability in REXML. * ruby-2.0.0-entity-expansion-DoS-vulnerability-in-REXML.patch - Resolves: rhbz#915379 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-0612 CVE-2012-4481 CVE-2013-1821 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27487 | |||
Oval ID: | oval:org.mitre.oval:def:27487 | ||
Title: | DEPRECATED: ELSA-2013-0611 -- ruby security update (moderate) | ||
Description: | [1.8.5-29] - Fix regression introduced by fix for entity expansion DOS vulnerability in REXML (https://bugs.ruby-lang.org/issues/7961) * ruby-2.0.0-add-missing-rexml-require.patch - Related: rhbz#915377 [1.8.5-28] - Addresses entity expansion DoS vulnerability in REXML. * ruby-2.0.0-entity-expansion-DoS-vulnerability-in-REXML.patch - Resolves: rhbz#915377 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-0611 CVE-2013-1821 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | ruby |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-02-27 | IAVM : 2014-A-0030 - Apple Mac OS X Security Update 2014-001 Severity : Category I - VMSKEY : V0044547 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-03-15 | XML exponential entity expansion attack attempt RuleID : 29800 - Revision : 4 - Type : FILE-OTHER |
2014-01-10 | XML exponential entity expansion attack attempt RuleID : 27096 - Revision : 5 - Type : FILE-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2018-11-21 | Name : The remote EulerOS Virtualization host is missing multiple security updates. File : EulerOS_SA-2018-1374.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_ruby_20130924.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-27.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-298.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-572.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-575.nasl - Type : ACT_GATHER_INFO |
2014-05-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_ruby-140415.nasl - Type : ACT_GATHER_INFO |
2014-03-07 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-201402-140224.nasl - Type : ACT_GATHER_INFO |
2014-02-25 | Name : The remote host is missing a Mac OS X update that fixes a certificate validat... File : macosx_10_9_2.nasl - Type : ACT_GATHER_INFO |
2014-02-25 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_SecUpd2014-001.nasl - Type : ACT_GATHER_INFO |
2013-12-14 | Name : The remote web server uses a version of PHP that is potentially affected by m... File : php_5_3_28.nasl - Type : ACT_GATHER_INFO |
2013-12-05 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2809.nasl - Type : ACT_GATHER_INFO |
2013-10-28 | Name : A web application on the remote host has multiple vulnerabilities. File : puppet_enterprise_301.nasl - Type : ACT_GATHER_INFO |
2013-10-23 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_9.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-173.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-195.nasl - Type : ACT_GATHER_INFO |
2013-08-20 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2738.nasl - Type : ACT_GATHER_INFO |
2013-07-31 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_ruby-130708.nasl - Type : ACT_GATHER_INFO |
2013-07-30 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_ruby-8639.nasl - Type : ACT_GATHER_INFO |
2013-07-28 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-201.nasl - Type : ACT_GATHER_INFO |
2013-07-19 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1090.nasl - Type : ACT_GATHER_INFO |
2013-07-18 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130717_ruby_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-07-18 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1090.nasl - Type : ACT_GATHER_INFO |
2013-07-18 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1090.nasl - Type : ACT_GATHER_INFO |
2013-07-16 | Name : The remote Fedora host is missing a security update. File : fedora_2013-12663.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0611.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0612.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_ebd877b97ef44375b1fdc67780581898.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Fedora host is missing a security update. File : fedora_2013-12123.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Fedora host is missing a security update. File : fedora_2013-12062.nasl - Type : ACT_GATHER_INFO |
2013-07-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1902-1.nasl - Type : ACT_GATHER_INFO |
2013-06-28 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-178-01.nasl - Type : ACT_GATHER_INFO |
2013-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-124.nasl - Type : ACT_GATHER_INFO |
2013-04-04 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_ruby-8524.nasl - Type : ACT_GATHER_INFO |
2013-03-26 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1780-1.nasl - Type : ACT_GATHER_INFO |
2013-03-17 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-075-01.nasl - Type : ACT_GATHER_INFO |
2013-03-10 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0612.nasl - Type : ACT_GATHER_INFO |
2013-03-08 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130307_ruby_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2013-03-08 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130307_ruby_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-03-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0612.nasl - Type : ACT_GATHER_INFO |
2013-03-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0611.nasl - Type : ACT_GATHER_INFO |
2013-03-08 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0611.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:32:05 |
|
2013-08-20 17:25:51 |
|
2013-08-18 21:20:15 |
|