[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 263-1] ruby1.9.1 security update

Package        : ruby1.9.1
Version        :
CVE ID         : CVE-2012-5371 CVE-2013-0269
Debian Bug     : 693024 700471

Two vulnerabilities were identified in the Ruby language interpreter,
version 1.9.1.


    Jean-Philippe Aumasson identified that Ruby computed hash values
    without properly restricting the ability to trigger hash collisions
    predictably, allowing context-dependent attackers to cause a denial
    of service (CPU consumption). This is a different vulnerability than


    Thomas Hollstegge and Ben Murphy found that the JSON gem for Ruby
    allowed remote attackers to cause a denial of service (resource
    consumption) or bypass the mass assignment protection mechanism via
    a crafted JSON document that triggers the creation of arbitrary Ruby
    symbols or certain internal objects.

For the squeeze distribution, theses vulnerabilities have been fixed in
version of ruby1.9.1. We recommend that you upgrade
your ruby1.9.1 package.

Attachment: signature.asc
Description: Digital signature

Reply to: