Executive Summary

Summary
Title rubygems security update
Informations
Name RHSA-2013:1203 First vendor Publication 2013-09-04
Vendor RedHat Last vendor Modification 2013-09-04
Severity (Vendor) Moderate Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Cvss Base Score 5.8 Attack Range Network
Cvss Impact Score 4.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An updated rubygems package that fixes two security issues is now available for Red Hat OpenShift Enterprise 1.2.2.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

RHOSE Client 1.2 - noarch RHOSE Infrastructure 2.1 - noarch Red Hat OpenShift Enterprise Node - noarch

3. Description:

RubyGems is the Ruby standard for publishing and managing third-party libraries.

It was found that, when using RubyGems, the connection could be redirected from HTTPS to HTTP. This could lead to a user believing they are installing a gem via HTTPS, when the connection may have been silently downgraded to HTTP. (CVE-2012-2125)

It was found that RubyGems did not verify SSL connections. This could lead to man-in-the-middle attacks. (CVE-2012-2126)

All users of Red Hat OpenShift Enterprise 1.2.2 are advised to upgrade to this updated package, which corrects these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

814718 - CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2013-1203.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:17580
 
Oval ID: oval:org.mitre.oval:def:17580
Title: USN-1583-1 -- ruby1.9.1 vulnerabilities
Description: Several security issues were fixed in ruby1.9.1 Software Description: - ruby1.9.1: Interpreter of object-oriented scripting language Ruby Details: It was discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels.
Family: unix Class: patch
Reference(s): USN-1583-1
CVE-2011-1005
CVE-2012-2126
CVE-2012-2125
Version: 7
Platform(s): Ubuntu 12.04
Product(s): ruby1.9.1
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18016
 
Oval ID: oval:org.mitre.oval:def:18016
Title: USN-1582-1 -- rubygems vulnerabilities
Description: RubyGems could be made to download and install malicious gem files.
Family: unix Class: patch
Reference(s): USN-1582-1
CVE-2012-2126
CVE-2012-2125
Version: 7
Platform(s): Ubuntu 12.04
Product(s): rubygems
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 24

OpenVAS Exploits

Date Description
2012-09-27 Name : Ubuntu Update for rubygems USN-1582-1
File : nvt/gb_ubuntu_USN_1582_1.nasl
2012-09-27 Name : Ubuntu Update for ruby1.9.1 USN-1583-1
File : nvt/gb_ubuntu_USN_1583_1.nasl
2012-08-30 Name : Fedora Update for rubygems FEDORA-2012-6132
File : nvt/gb_fedora_2012_6132_rubygems_fc17.nasl
2012-05-04 Name : Fedora Update for rubygems FEDORA-2012-6409
File : nvt/gb_fedora_2012_6409_rubygems_fc16.nasl
2012-05-04 Name : Fedora Update for rubygems FEDORA-2012-6414
File : nvt/gb_fedora_2012_6414_rubygems_fc15.nasl

Nessus® Vulnerability Scanner

Date Description
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_rubygems_20140715.nasl - Type : ACT_GATHER_INFO
2014-07-22 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2013-1851.nasl - Type : ACT_GATHER_INFO
2014-07-22 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1852.nasl - Type : ACT_GATHER_INFO
2013-10-20 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2013-1441.nasl - Type : ACT_GATHER_INFO
2013-10-20 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2013-1441.nasl - Type : ACT_GATHER_INFO
2013-10-18 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2013-1441.nasl - Type : ACT_GATHER_INFO
2013-10-18 Name : The remote Scientific Linux host is missing a security update.
File : sl_20131017_rubygems_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-79.nasl - Type : ACT_GATHER_INFO
2012-09-26 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1582-1.nasl - Type : ACT_GATHER_INFO
2012-09-26 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1583-1.nasl - Type : ACT_GATHER_INFO
2012-05-02 Name : The remote Fedora host is missing a security update.
File : fedora_2012-6132.nasl - Type : ACT_GATHER_INFO
2012-05-01 Name : The remote Fedora host is missing a security update.
File : fedora_2012-6409.nasl - Type : ACT_GATHER_INFO
2012-05-01 Name : The remote Fedora host is missing a security update.
File : fedora_2012-6414.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2013-10-02 21:29:34
  • Multiple Updates
2013-10-01 21:23:30
  • Multiple Updates
2013-09-05 00:18:22
  • First insertion