Executive Summary
| Summary | |
|---|---|
| Title | Updated ruby package fixes security flaw |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2004:441 | First vendor Publication | 2004-09-30 |
| Vendor | RedHat | Last vendor Modification | 2004-09-30 |
| Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 2.1 | Attack Range | Local |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: An updated ruby package that fixes insecure file permissions for CGI session files is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Ruby is an interpreted scripting language for object-oriented programming. Andres Salomon reported an insecure file permissions flaw in the CGI session management of Ruby. FileStore created world readable files that could allow a malicious local user the ability to read CGI session data. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0755 to this issue. Users are advised to upgrade to this erratum package, which contains a backported patch to CGI::Session FileStore. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 130065 - CAN-2004-0755 ruby insecure file permissions |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2004-441.html |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:11128 | |||
| Oval ID: | oval:org.mitre.oval:def:11128 | ||
| Title: | The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions. | ||
| Description: | The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2004-0755 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 2 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200409-08 (dev-lang/ruby) File : nvt/glsa_200409_08.nasl |
| 2008-09-04 | Name : FreeBSD Ports: ruby File : nvt/freebsd_ruby0.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 537-1 (ruby) File : nvt/deb_537_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 8845 | Ruby CGI Session Management Insecure File Creation Ruby contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered because the cgi::session's filestore stores session information in temporary files created without any regard to permissions. Permissions are set only using the umask value, which may disclose the CGI session variable data resulting in a loss of confidentiality |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2004-11-17 | Name : The remote Fedora Core host is missing a security update. File : fedora_2004-403.nasl - Type : ACT_GATHER_INFO |
| 2004-11-09 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2004-128.nasl - Type : ACT_GATHER_INFO |
| 2004-10-15 | Name : The remote Fedora Core host is missing a security update. File : fedora_2004-264.nasl - Type : ACT_GATHER_INFO |
| 2004-10-02 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2004-441.nasl - Type : ACT_GATHER_INFO |
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-537.nasl - Type : ACT_GATHER_INFO |
| 2004-09-04 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200409-08.nasl - Type : ACT_GATHER_INFO |
| 2004-08-17 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_ruby_181.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:48:38 |
|
