Debian DSA-1157-1 : ruby1.8 - several vulnerabilities

medium Nessus Plugin ID 22699

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to the bypass of security restrictions or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2006-1931 It was discovered that the use of blocking sockets can lead to denial of service.

- CVE-2006-3964 It was discovered that Ruby does not properly maintain 'safe levels' for aliasing, directory accesses and regular expressions, which might lead to a bypass of security restrictions.

Solution

Upgrade the Ruby packages.

For the stable distribution (sarge) these problems have been fixed in version 1.8.2-7sarge4.

See Also

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365520

https://security-tracker.debian.org/tracker/CVE-2006-1931

https://security-tracker.debian.org/tracker/CVE-2006-3964

http://www.debian.org/security/2006/dsa-1157

Plugin Details

Severity: Medium

ID: 22699

File Name: debian_DSA-1157.nasl

Version: 1.16

Type: local

Agent: unix

Published: 10/14/2006

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ruby1.8, cpe:/o:debian:debian_linux:3.1

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 8/27/2006

Vulnerability Publication Date: 11/21/2005

Reference Information

CVE: CVE-2006-1931, CVE-2006-3694

DSA: 1157