Executive Summary

Summary
Title Ruby vulnerabilities
Informations
Name USN-2397-1 First vendor Publication 2014-11-04
Vendor Ubuntu Last vendor Modification 2014-11-04
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Ruby.

Software Description: - ruby2.0: Object-oriented scripting language - ruby2.1: Object-oriented scripting language - ruby1.9.1: Object-oriented scripting language - ruby1.8: Object-oriented scripting language

Details:

Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. (CVE-2014-4975)

Willis Vandevanter discovered that Ruby incorrectly handled XML entity expansion. An attacker could use this flaw to cause Ruby to consume large amounts of resources, resulting in a denial of service. (CVE-2014-8080)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.10:
libruby2.0 2.0.0.484+really457-3ubuntu1.1
libruby2.1 2.1.2-2ubuntu1.1
ruby2.0 2.0.0.484+really457-3ubuntu1.1
ruby2.1 2.1.2-2ubuntu1.1

Ubuntu 14.04 LTS:
libruby1.9.1 1.9.3.484-2ubuntu1.1
libruby2.0 2.0.0.484-1ubuntu2.1
ruby1.9.1 1.9.3.484-2ubuntu1.1
ruby2.0 2.0.0.484-1ubuntu2.1

Ubuntu 12.04 LTS:
libruby1.8 1.8.7.352-2ubuntu1.5
libruby1.9.1 1.9.3.0-1ubuntu2.9
ruby1.8 1.8.7.352-2ubuntu1.5
ruby1.9.1 1.9.3.0-1ubuntu2.9

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2397-1
CVE-2014-4975, CVE-2014-8080

Package Information:
https://launchpad.net/ubuntu/+source/ruby2.0/2.0.0.484+really457-3ubuntu1.1
https://launchpad.net/ubuntu/+source/ruby2.1/2.1.2-2ubuntu1.1
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.484-2ubuntu1.1
https://launchpad.net/ubuntu/+source/ruby2.0/2.0.0.484-1ubuntu2.1
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.352-2ubuntu1.5
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.0-1ubuntu2.9

Original Source

Url : http://www.ubuntu.com/usn/USN-2397-1

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:28247
 
Oval ID: oval:org.mitre.oval:def:28247
Title: USN-2397-1 -- Ruby vulnerabilities
Description: Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-4975">CVE-2014-4975</a>) Willis Vandevanter discovered that Ruby incorrectly handled XML entity expansion. An attacker could use this flaw to cause Ruby to consume large amounts of resources, resulting in a denial of service. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-8080">CVE-2014-8080</a>)
Family: unix Class: patch
Reference(s): USN-2397-1
CVE-2014-4975
CVE-2014-8080
 Version: 5
Platform(s): Ubuntu 14.10
Ubuntu 14.04
Ubuntu 12.04
 Product(s): ruby1.8
ruby1.9.1
ruby2.0
ruby2.1
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28303
 
Oval ID: oval:org.mitre.oval:def:28303
Title: ELSA-2014-1912 -- ruby security update (moderate)
Description: [2.0.0.353-22] - Fix REXML billion laughs attack via parameter entity expansion (CVE-2014-8080). Resolves: rhbz#1163998 - REXML incomplete fix for CVE-2014-8080 (CVE-2014-8090). Resolves: rhbz#1163998 [2.0.0.353-21] - Fix off-by-one stack-based buffer overflow in the encodes() function (CVE-2014-4975) Resolves: rhbz#1163998 [2.0.0.353-21] - Fix FTBFS with new tzdata Related: rhbz#1163998
Family: unix Class: patch
Reference(s): ELSA-2014-1912
CVE-2014-8080
CVE-2014-8090
CVE-2014-4975
 Version: 3
Platform(s): Oracle Linux 7
 Product(s): ruby
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 955
Os 4
Os 2
Os 2
Os 2
Os 1
Os 1
Os 1
Os 1

Nessus® Vulnerability Scanner

Date Description
2018-11-21 Name : The remote EulerOS Virtualization host is missing multiple security updates.
File : EulerOS_SA-2018-1374.nasl - Type : ACT_GATHER_INFO
2017-05-01 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2017-527.nasl - Type : ACT_GATHER_INFO
2017-04-21 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2017-1067-1.nasl - Type : ACT_GATHER_INFO
2015-10-05 Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_10_11.nasl - Type : ACT_GATHER_INFO
2015-04-16 Name : The remote Debian host is missing a security update.
File : debian_DLA-200.nasl - Type : ACT_GATHER_INFO
2015-03-30 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-129.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-88.nasl - Type : ACT_GATHER_INFO
2015-02-11 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3159.nasl - Type : ACT_GATHER_INFO
2015-02-10 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3157.nasl - Type : ACT_GATHER_INFO
2015-01-27 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_ruby-141230.nasl - Type : ACT_GATHER_INFO
2015-01-05 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2015-6.nasl - Type : ACT_GATHER_INFO
2015-01-05 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2015-1.nasl - Type : ACT_GATHER_INFO
2014-12-15 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201412-27.nasl - Type : ACT_GATHER_INFO
2014-12-09 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-758.nasl - Type : ACT_GATHER_INFO
2014-12-02 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20141126_ruby_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2014-12-02 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20141126_ruby_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-12-02 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1912.nasl - Type : ACT_GATHER_INFO
2014-12-02 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1911.nasl - Type : ACT_GATHER_INFO
2014-11-27 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1912.nasl - Type : ACT_GATHER_INFO
2014-11-27 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1911.nasl - Type : ACT_GATHER_INFO
2014-11-27 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1912.nasl - Type : ACT_GATHER_INFO
2014-11-27 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1911.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-225.nasl - Type : ACT_GATHER_INFO
2014-11-18 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-449.nasl - Type : ACT_GATHER_INFO
2014-11-18 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-448.nasl - Type : ACT_GATHER_INFO
2014-11-18 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-447.nasl - Type : ACT_GATHER_INFO
2014-11-11 Name : The remote Fedora host is missing a security update.
File : fedora_2014-14096.nasl - Type : ACT_GATHER_INFO
2014-11-06 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-441.nasl - Type : ACT_GATHER_INFO
2014-11-06 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-439.nasl - Type : ACT_GATHER_INFO
2014-11-05 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2397-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Date Informations
2016-12-13 09:26:25
  • Multiple Updates
2016-11-29 00:28:34
  • Multiple Updates
2016-10-12 09:25:40
  • Multiple Updates
2016-06-29 01:31:09
  • Multiple Updates
2015-10-10 09:29:29
  • Multiple Updates
2015-04-24 00:32:31
  • Multiple Updates
2015-04-23 09:32:20
  • Multiple Updates
2015-03-12 09:29:51
  • Multiple Updates
2015-02-12 00:26:36
  • Multiple Updates
2014-12-19 17:26:31
  • Multiple Updates
2014-12-16 17:31:58
  • Multiple Updates
2014-12-12 09:30:49
  • Multiple Updates
2014-12-10 09:31:30
  • Multiple Updates
2014-12-03 21:32:20
  • Multiple Updates
2014-12-03 09:32:37
  • Multiple Updates
2014-11-17 17:29:10
  • Multiple Updates
2014-11-16 00:32:18
  • Multiple Updates
2014-11-06 13:28:23
  • Multiple Updates
2014-11-05 09:29:01
  • Multiple Updates
2014-11-05 05:33:41
  • Multiple Updates
2014-11-05 00:26:58
  • Multiple Updates
2014-11-04 21:23:51
  • First insertion