5.8 - USN-1582-1

Executive Summary

Summary
Title	RubyGems vulnerabilities

Informations
Name	USN-1582-1	First vendor Publication	2012-09-26
Vendor	Ubuntu	Last vendor Modification	2012-09-26
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Cvss Base Score	5.8	Attack Range	Network
Cvss Impact Score	4.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

RubyGems could be made to download and install malicious gem files.

Software Description: - rubygems: package management framework for Ruby libraries/applications

Details:

John Firebaugh discovered that the RubyGems remote gem fetcher did not properly verify SSL certificates. A remote attacker could exploit this to perform a man in the middle attack to alter gem files being downloaded for installation. (CVE-2012-2126)

John Firebaugh discovered that the RubyGems remote gem fetcher allowed redirection from HTTPS to HTTP. A remote attacker could exploit this to perform a man in the middle attack to alter gem files being downloaded for installation. (CVE-2012-2125)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 LTS:
rubygems 1.8.15-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1582-1
CVE-2012-2125, CVE-2012-2126

Package Information:
https://launchpad.net/ubuntu/+source/rubygems/1.8.15-1ubuntu0.1

Original Source

Url : http://www.ubuntu.com/usn/USN-1582-1

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-310	Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:17580

Oval ID:	oval:org.mitre.oval:def:17580
Title:	USN-1583-1 -- ruby1.9.1 vulnerabilities
Description:	Several security issues were fixed in ruby1.9.1 Software Description: - ruby1.9.1: Interpreter of object-oriented scripting language Ruby Details: It was discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels.
Family:	unix	Class:	patch
Reference(s):	USN-1583-1 CVE-2011-1005 CVE-2012-2126 CVE-2012-2125	Version:	7
Platform(s):	Ubuntu 12.04	Product(s):	ruby1.9.1
Definition Synopsis:
Ubuntu 12.04 is installed AND libruby1.9.1 DPKG is earlier than 1.9.3.0-1ubuntu2.2

Definition Id: oval:org.mitre.oval:def:18016

Oval ID:	oval:org.mitre.oval:def:18016
Title:	USN-1582-1 -- rubygems vulnerabilities
Description:	RubyGems could be made to download and install malicious gem files.
Family:	unix	Class:	patch
Reference(s):	USN-1582-1 CVE-2012-2126 CVE-2012-2125	Version:	7
Platform(s):	Ubuntu 12.04	Product(s):	rubygems
Definition Synopsis:
Ubuntu 12.04 is installed AND rubygems DPKG is earlier than 1.8.15-1ubuntu0.1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Rubygems cpe:2.3:a:rubygems:rubygems:1.8.9:::::::* cpe:2.3:a:rubygems:rubygems:1.8.8:::::::* cpe:2.3:a:rubygems:rubygems:1.8.7:::::::* cpe:2.3:a:rubygems:rubygems:1.8.6:::::::* cpe:2.3:a:rubygems:rubygems:1.8.5:::::::* cpe:2.3:a:rubygems:rubygems:1.8.4:::::::* cpe:2.3:a:rubygems:rubygems:1.8.3:::::::* cpe:2.3:a:rubygems:rubygems:1.8.22:::::::* cpe:2.3:a:rubygems:rubygems:1.8.21:::::::* cpe:2.3:a:rubygems:rubygems:1.8.20:::::::* cpe:2.3:a:rubygems:rubygems:1.8.2:::::::* cpe:2.3:a:rubygems:rubygems:1.8.19:::::::* cpe:2.3:a:rubygems:rubygems:1.8.18:::::::* cpe:2.3:a:rubygems:rubygems:1.8.17:::::::* cpe:2.3:a:rubygems:rubygems:1.8.16:::::::* cpe:2.3:a:rubygems:rubygems:1.8.15:::::::* cpe:2.3:a:rubygems:rubygems:1.8.14:::::::* cpe:2.3:a:rubygems:rubygems:1.8.13:::::::* cpe:2.3:a:rubygems:rubygems:1.8.12:::::::* cpe:2.3:a:rubygems:rubygems:1.8.11:::::::* cpe:2.3:a:rubygems:rubygems:1.8.10:::::::* cpe:2.3:a:rubygems:rubygems:1.8.1:::::::* cpe:2.3:a:rubygems:rubygems:1.8.0:::::::* cpe:2.3:a:rubygems:rubygems::::::::	24

OpenVAS Exploits

Date	Description
2012-09-27	Name : Ubuntu Update for rubygems USN-1582-1 File : nvt/gb_ubuntu_USN_1582_1.nasl
2012-09-27	Name : Ubuntu Update for ruby1.9.1 USN-1583-1 File : nvt/gb_ubuntu_USN_1583_1.nasl
2012-08-30	Name : Fedora Update for rubygems FEDORA-2012-6132 File : nvt/gb_fedora_2012_6132_rubygems_fc17.nasl
2012-05-04	Name : Fedora Update for rubygems FEDORA-2012-6409 File : nvt/gb_fedora_2012_6409_rubygems_fc16.nasl
2012-05-04	Name : Fedora Update for rubygems FEDORA-2012-6414 File : nvt/gb_fedora_2012_6414_rubygems_fc15.nasl

Nessus® Vulnerability Scanner

Date	Description
2015-01-19	Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_rubygems_20140715.nasl - Type : ACT_GATHER_INFO
2014-07-22	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-1851.nasl - Type : ACT_GATHER_INFO
2014-07-22	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1852.nasl - Type : ACT_GATHER_INFO
2013-10-20	Name : The remote CentOS host is missing a security update. File : centos_RHSA-2013-1441.nasl - Type : ACT_GATHER_INFO
2013-10-20	Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2013-1441.nasl - Type : ACT_GATHER_INFO
2013-10-18	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-1441.nasl - Type : ACT_GATHER_INFO
2013-10-18	Name : The remote Scientific Linux host is missing a security update. File : sl_20131017_rubygems_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2013-09-04	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-79.nasl - Type : ACT_GATHER_INFO
2012-09-26	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1582-1.nasl - Type : ACT_GATHER_INFO
2012-09-26	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1583-1.nasl - Type : ACT_GATHER_INFO
2012-05-02	Name : The remote Fedora host is missing a security update. File : fedora_2012-6132.nasl - Type : ACT_GATHER_INFO
2012-05-01	Name : The remote Fedora host is missing a security update. File : fedora_2012-6409.nasl - Type : ACT_GATHER_INFO
2012-05-01	Name : The remote Fedora host is missing a security update. File : fedora_2012-6414.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 12:00:47	Multiple Updates
2013-10-02 21:29:34	Multiple Updates
2013-10-01 21:23:31	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	2
CPE ID(s)	24
Openvas Exploit(s)	5
Nessus® Exploit(s)	13

	Related
5.8	CVE-2012-2125
4.3	CVE-2012-2126
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)

5.8 - USN-1582-1

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU