Mandriva Linux Security Advisory : ruby (MDVSA-2011:097)
Medium Nessus Plugin ID 54626
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionMultiple vulnerabilities have been identified and fixed in ruby :
Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page (CVE-2010-0541).
The FileUtils.remove_entry_secure method in Ruby allows local users to delete arbitrary files via a symlink attack (CVE-2011-1004).
The safe-level feature in Ruby allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname (CVE-2011-1005).
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an integer truncation issue. (CVE-2011-0188).
Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
The updated packages have been patched to correct this issue.
SolutionUpdate the affected packages.