[SECURITY] [DLA 88-1] ruby1.8 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 88-1] ruby1.8 security update
From: Holger Levsen <holger@layer-acht.org>
Date: Fri, 21 Nov 2014 16:18:14 +0100
Message-id: <[🔎] 201411211618.16031.holger@layer-acht.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : ruby1.8
Version        : 1.8.7.302-2squeeze3
CVE ID         : CVE-2011-0188 CVE-2011-2686 CVE-2011-2705 CVE-2011-4815
                 CVE-2014-8080 CVE-2014-8090

This update fixes multiple local and remote denial of service and remote code
execute problems:

CVE-2011-0188 
 
Properly allocate memory, to prevent arbitrary code execution or application 
crash. Reported by Drew Yao.

CVE-2011-2686

Reinitialize the random seed when forking to prevent  CVE-2003-0900 like 
situations.

CVE-2011-2705 
 
Modify PRNG state to prevent random number sequence repeatation at forked 
child process which has same pid. Reported by Eric Wong.

CVE-2011-4815

Fix a problem with predictable hash collisions resulting in denial of service 
(CPU consumption) attacks. Reported by Alexander Klink and Julian Waelde.

CVE-2014-8080

Fix REXML parser to prevent memory consumption denial of service via crafted 
XML documents. Reported by Willis Vandevanter.

CVE-2014-8090

Add REXML::Document#document to complement the fix for  CVE-2014-8080.
Reported by Tomas Hoger.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: [SECURITY] [DLA 87-1] dbus security update
Next by Date: [SECURITY] [DLA 89-1] nss security update
Previous by thread: [SECURITY] [DLA 87-1] dbus security update
Next by thread: [SECURITY] [DLA 89-1] nss security update
Index(es):
- Date
- Thread