Executive Summary
Summary | |
---|---|
Title | Ruby vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-2035-1 | First vendor Publication | 2013-11-27 |
Vendor | Ubuntu | Last vendor Modification | 2013-11-27 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 13.04 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Ruby. Software Description: - ruby1.8: Object-oriented scripting language - ruby1.9.1: Object-oriented scripting language Details: Charlie Somerville discovered that Ruby incorrectly handled floating point number conversion. An attacker could possibly use this issue with an application that converts text to floating point numbers to cause the application to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-4164) Vit Ondruch discovered that Ruby did not perform taint checking for certain functions. An attacker could possibly use this issue to bypass certain intended restrictions. (CVE-2013-2065) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: Ubuntu 13.04: Ubuntu 12.10: Ubuntu 12.04 LTS: In general, a standard system update will make all the necessary changes. References: Package Information: |
Original Source
Url : http://www.ubuntu.com/usn/USN-2035-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
50 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:19789 | |||
Oval ID: | oval:org.mitre.oval:def:19789 | ||
Title: | DSA-2810-1 ruby1.9.1 - heap overflow | ||
Description: | Charlie Somerville discovered that Ruby incorrectly handled floating point number conversion. If an application using Ruby accepted untrusted input strings and converted them to floating point numbers, an attacker able to provide such input could cause the application to crash or, possibly, execute arbitrary code with the privileges of the application. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2810-1 CVE-2013-4164 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | ruby1.9.1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19827 | |||
Oval ID: | oval:org.mitre.oval:def:19827 | ||
Title: | USN-2035-1 -- ruby1.8, ruby1.9.1 vulnerabilities | ||
Description: | Several security issues were fixed in Ruby. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2035-1 CVE-2013-4164 CVE-2013-2065 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | ruby1.8 ruby1.9.1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19939 | |||
Oval ID: | oval:org.mitre.oval:def:19939 | ||
Title: | DSA-2809-1 ruby1.8 - several | ||
Description: | Several vulnerabilities have been discovered in the interpreter for the Ruby language. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2809-1 CVE-2013-1821 CVE-2013-4073 CVE-2013-4164 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | ruby1.8 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21247 | |||
Oval ID: | oval:org.mitre.oval:def:21247 | ||
Title: | RHSA-2013:1764: ruby security update (Critical) | ||
Description: | Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1764-00 CESA-2013:1764 CVE-2013-4164 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24019 | |||
Oval ID: | oval:org.mitre.oval:def:24019 | ||
Title: | ELSA-2013:1764: ruby security update (Critical) | ||
Description: | Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1764-00 CVE-2013-4164 | Version: | 6 |
Platform(s): | Oracle Linux 6 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26963 | |||
Oval ID: | oval:org.mitre.oval:def:26963 | ||
Title: | DEPRECATED: ELSA-2013-1764 -- ruby security update (critical) | ||
Description: | [1.8.7.352-13] - Workaround build issues against OpenSSL with enabled ECC curves. - Make DRb compatible with OpenSSL 1.0.1. * ruby-1.9.3-p222-generate-1024-bits-RSA-key-instead-of-512-bits.patch - Fix CVE-2013-4164 Heap Overflow in Floating Point Parsing * ruby-1.9.3-p484-CVE-2013-4164-ignore-too-long-fraction-part-which-does-not-affect-the-result.patch - Resolves: rhbz#1033500 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1764 CVE-2013-4164 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | ruby |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-06-01 | Name : The remote Debian host is missing a security update. File : debian_DLA-235.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_ruby_20140731.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_ruby_20140114.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-27.nasl - Type : ACT_GATHER_INFO |
2014-11-12 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1764.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1767.nasl - Type : ACT_GATHER_INFO |
2014-10-21 | Name : The remote host is missing a security update for OS X Server. File : macosx_server_4_0.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-943.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-940.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-806.nasl - Type : ACT_GATHER_INFO |
2014-05-21 | Name : The remote host is missing a security update for OS X Server. File : macosx_server_3_1_2.nasl - Type : ACT_GATHER_INFO |
2014-04-22 | Name : The remote host is missing a Mac OS X update that fixes multiple security iss... File : macosx_SecUpd2014-002.nasl - Type : ACT_GATHER_INFO |
2014-03-21 | Name : A web application on the remote host is affected by multiple vulnerabilities. File : puppet_enterprise_311.nasl - Type : ACT_GATHER_INFO |
2013-12-17 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-350-06.nasl - Type : ACT_GATHER_INFO |
2013-12-14 | Name : The remote Fedora host is missing a security update. File : fedora_2013-22393.nasl - Type : ACT_GATHER_INFO |
2013-12-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-22315.nasl - Type : ACT_GATHER_INFO |
2013-12-05 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2809.nasl - Type : ACT_GATHER_INFO |
2013-12-05 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2810.nasl - Type : ACT_GATHER_INFO |
2013-12-05 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_ruby-131125.nasl - Type : ACT_GATHER_INFO |
2013-12-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131125_ruby_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2013-12-04 | Name : The remote Fedora host is missing a security update. File : fedora_2013-22423.nasl - Type : ACT_GATHER_INFO |
2013-11-29 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1764.nasl - Type : ACT_GATHER_INFO |
2013-11-29 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2035-1.nasl - Type : ACT_GATHER_INFO |
2013-11-27 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-286.nasl - Type : ACT_GATHER_INFO |
2013-11-26 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-248.nasl - Type : ACT_GATHER_INFO |
2013-11-26 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-247.nasl - Type : ACT_GATHER_INFO |
2013-11-26 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1764.nasl - Type : ACT_GATHER_INFO |
2013-11-25 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_cc9043cf7f7a426eb2cc8d1980618113.nasl - Type : ACT_GATHER_INFO |
2013-10-29 | Name : A web application on the remote host is affected by multiple vulnerabilities. File : puppet_enterprise_310.nasl - Type : ACT_GATHER_INFO |
2013-10-01 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-229.nasl - Type : ACT_GATHER_INFO |
2013-05-30 | Name : The remote Fedora host is missing a security update. File : fedora_2013-8411.nasl - Type : ACT_GATHER_INFO |
2013-05-30 | Name : The remote Fedora host is missing a security update. File : fedora_2013-8375.nasl - Type : ACT_GATHER_INFO |
2013-05-30 | Name : The remote Fedora host is missing a security update. File : fedora_2013-8738.nasl - Type : ACT_GATHER_INFO |
2013-05-28 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_79789daa8af84e21a47fe8a645752bdb.nasl - Type : ACT_GATHER_INFO |
2013-05-17 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-136-02.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:02:48 |
|
2013-11-27 21:27:06 |
|