Executive Summary
Summary | |
---|---|
Title | Ruby vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-900-1 | First vendor Publication | 2010-02-16 |
Vendor | Ubuntu | Last vendor Modification | 2010-02-16 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: Ubuntu 9.04: Ubuntu 9.10: In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Emmanouel Kellinis discovered that Ruby did not properly handle certain string operations. An attacker could exploit this issue and possibly execute arbitrary code with application privileges. (CVE-2009-4124) Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that Ruby did not properly sanitize data written to log files. An attacker could insert specially-crafted data into log files which could affect certain terminal emulators and cause arbitrary files to be overwritten, or even possibly execute arbitrary commands. (CVE-2009-4492) It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service. This issue only affected Ubuntu 9.10. (CVE-2009-1904) |
Original Source
Url : http://www.ubuntu.com/usn/USN-900-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
50 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:22900 | |||
Oval ID: | oval:org.mitre.oval:def:22900 | ||
Title: | ELSA-2009:1140: ruby security update (Moderate) | ||
Description: | The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:1140-02 CVE-2007-1558 CVE-2009-0642 CVE-2009-1904 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:29258 | |||
Oval ID: | oval:org.mitre.oval:def:29258 | ||
Title: | RHSA-2009:1140 -- ruby security update (Moderate) | ||
Description: | Updated ruby packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:1140 CESA-2009:1140-CentOS 5 CVE-2007-1558 CVE-2009-0642 CVE-2009-1904 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 CentOS Linux 5 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9780 | |||
Oval ID: | oval:org.mitre.oval:def:9780 | ||
Title: | The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type. | ||
Description: | The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-1904 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for irb CESA-2011:0908 centos4 x86_64 File : nvt/gb_CESA-2011_0908_irb_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for ruby CESA-2011:0909 centos5 x86_64 File : nvt/gb_CESA-2011_0909_ruby_centos5_x86_64.nasl |
2011-08-18 | Name : CentOS Update for irb CESA-2011:0908 centos4 i386 File : nvt/gb_CESA-2011_0908_irb_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for ruby CESA-2009:1140 centos5 i386 File : nvt/gb_CESA-2009_1140_ruby_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for ruby CESA-2011:0909 centos5 i386 File : nvt/gb_CESA-2011_0909_ruby_centos5_i386.nasl |
2011-07-08 | Name : RedHat Update for ruby RHSA-2011:0908-01 File : nvt/gb_RHSA-2011_0908-01_ruby.nasl |
2011-07-08 | Name : RedHat Update for ruby RHSA-2011:0909-01 File : nvt/gb_RHSA-2011_0909-01_ruby.nasl |
2010-08-30 | Name : Fedora Update for ruby FEDORA-2010-13341 File : nvt/gb_fedora_2010_13341_ruby_fc12.nasl |
2010-05-12 | Name : Mac OS X 10.6.3 Update / Mac OS X Security Update 2010-002 File : nvt/macosx_upd_10_6_3_secupd_2010-002.nasl |
2010-03-02 | Name : Fedora Update for ruby FEDORA-2010-0533 File : nvt/gb_fedora_2010_0533_ruby_fc11.nasl |
2010-03-02 | Name : Fedora Update for ruby FEDORA-2010-0530 File : nvt/gb_fedora_2010_0530_ruby_fc12.nasl |
2010-02-19 | Name : Ubuntu Update for ruby1.9 vulnerabilities USN-900-1 File : nvt/gb_ubuntu_USN_900_1.nasl |
2010-01-20 | Name : Gentoo Security Advisory GLSA 201001-09 (ruby) File : nvt/glsa_201001_09.nasl |
2010-01-20 | Name : Mandriva Update for ruby MDVSA-2010:017 (ruby) File : nvt/gb_mandriva_MDVSA_2010_017.nasl |
2010-01-13 | Name : Ruby WEBrick Terminal Escape Sequence in Logs Command Injection Vulnerability File : nvt/ruby_WEBrick_37710.nasl |
2009-12-23 | Name : Ruby Interpreter Heap Overflow Vulnerability (Windows) - Dec09 File : nvt/secpod_ruby_heap_bof_vuln_win_dec09.nasl |
2009-12-23 | Name : Ruby Interpreter Heap Overflow Vulnerability (Linux) - Dec09 File : nvt/secpod_ruby_heap_bof_vuln_lin_dec09.nasl |
2009-12-14 | Name : FreeBSD Ports: ruby File : nvt/freebsd_ruby11.nasl |
2009-12-14 | Name : Fedora Core 10 FEDORA-2009-13066 (ruby) File : nvt/fcore_2009_13066.nasl |
2009-12-10 | Name : Mandriva Security Advisory MDVSA-2009:325 (ruby) File : nvt/mdksa_2009_325.nasl |
2009-10-11 | Name : SLES11: Security update for ruby File : nvt/sles11_ruby.nasl |
2009-10-10 | Name : SLES9: Security update for ruby File : nvt/sles9p5053737.nasl |
2009-08-17 | Name : Debian Security Advisory DSA 1860-1 (ruby1.8, ruby1.9) File : nvt/deb_1860_1.nasl |
2009-08-17 | Name : Mandrake Security Advisory MDVSA-2009:177 (ruby) File : nvt/mdksa_2009_177.nasl |
2009-07-29 | Name : Mandrake Security Advisory MDVSA-2009:160 (ruby) File : nvt/mdksa_2009_160.nasl |
2009-07-29 | Name : SuSE Security Advisory SUSE-SA:2009:037 (dhcp-client) File : nvt/suse_sa_2009_037.nasl |
2009-07-29 | Name : Ubuntu USN-805-1 (ruby1.9) File : nvt/ubuntu_805_1.nasl |
2009-07-06 | Name : CentOS Security Advisory CESA-2009:1140 (ruby) File : nvt/ovcesa2009_1140.nasl |
2009-07-06 | Name : RedHat Security Advisory RHSA-2009:1140 File : nvt/RHSA_2009_1140.nasl |
2009-06-30 | Name : Gentoo Security Advisory GLSA 200906-02 (ruby) File : nvt/glsa_200906_02.nasl |
2009-06-23 | Name : Ruby BigDecimal Library Denial of Service Vulnerability (Linux) File : nvt/secpod_ruby_bigdecimal_lib_dos_vuln.nasl |
2009-06-15 | Name : FreeBSD Ports: ruby, ruby+pthreads, ruby+pthreads+oniguruma, ruby+oniguruma File : nvt/freebsd_ruby10.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2009-170-02 ruby File : nvt/esoft_slk_ssa_2009_170_02.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
61774 | WEBrick HTTP Request Escape Sequence Terminal Command Injection |
60880 | Ruby string.c rb_str_justify() Function Overflow |
55031 | Ruby BigDecimal Library Float Data Type Conversion String Argument Handling DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0908.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1140.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0909.nasl - Type : ACT_GATHER_INFO |
2013-06-29 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0909.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110628_ruby_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090702_ruby_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110628_ruby_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2011-08-15 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0908.nasl - Type : ACT_GATHER_INFO |
2011-06-29 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0909.nasl - Type : ACT_GATHER_INFO |
2011-06-29 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0908.nasl - Type : ACT_GATHER_INFO |
2011-05-31 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_ruby-110517.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_ruby-6338.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-0533.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-0530.nasl - Type : ACT_GATHER_INFO |
2010-03-29 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_6_3.nasl - Type : ACT_GATHER_INFO |
2010-03-29 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2010-002.nasl - Type : ACT_GATHER_INFO |
2010-02-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201001-09.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1860.nasl - Type : ACT_GATHER_INFO |
2010-02-17 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-900-1.nasl - Type : ACT_GATHER_INFO |
2010-01-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-017.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1140.nasl - Type : ACT_GATHER_INFO |
2009-12-14 | Name : The remote Fedora host is missing a security update. File : fedora_2009-13066.nasl - Type : ACT_GATHER_INFO |
2009-12-10 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_eab8c3bde50c11de9cd0001a926c7637.nasl - Type : ACT_GATHER_INFO |
2009-12-08 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-325.nasl - Type : ACT_GATHER_INFO |
2009-10-06 | Name : The remote openSUSE host is missing a security update. File : suse_ruby-6339.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12452.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_ruby-090703.nasl - Type : ACT_GATHER_INFO |
2009-07-28 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-160.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_ruby-090703.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_ruby-090703.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-805-1.nasl - Type : ACT_GATHER_INFO |
2009-07-03 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1140.nasl - Type : ACT_GATHER_INFO |
2009-06-29 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200906-02.nasl - Type : ACT_GATHER_INFO |
2009-06-21 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2009-170-02.nasl - Type : ACT_GATHER_INFO |
2009-06-15 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_62e0fbe5579811debb78001cc0377035.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:06:36 |
|