Amazon Linux AMI : rubygems Multiple Vulnerabilities (ALAS-2012-79)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Amazon Linux AMI host is missing a security update.

Description :

This release increases the security used when RubyGems is talking to
an https server. If you use a custom RubyGems server over SSL, this
release will cause RubyGems to no longer connect unless your SSL cert
is globally valid.

Specifically, this release disallows redirects from https to http and
turns on verification of server SSL certs.

See also :

https://github.com/rubygems/rubygems/blob/1.8/History.txt
http://www.nessus.org/u?89a45fcb

Solution :

Run 'yum update rubygems' to update your system.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Family: Amazon Linux Local Security Checks

Nessus Plugin ID: 69686 ()

Bugtraq ID:

CVE ID: CVE-2012-2125
CVE-2012-2126