Ubuntu Security Notice 900-1 - Emmanouel Kellinis discovered that Ruby did not properly handle certain string operations. An attacker could exploit this issue and possibly execute arbitrary code with application privileges. Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that Ruby did not properly sanitize data written to log files. An attacker could insert specially-crafted data into log files which could affect certain terminal emulators and cause arbitrary files to be overwritten, or even possibly execute arbitrary commands. It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service. This issue only affected Ubuntu 9.10.
70b75a6c7bfeabf4136e18e897f88132e74cb4a9c3e67e5d0923c49a358f6156
Mandriva Linux Security Advisory 2009-325 - ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate. The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type. Packages for 2008.0 are being provided due to extended support for Corporate products. This update provides a solution to these vulnerabilities.
e2077ce129461d0a497c42e86d0c3e3ab2181e15b32eb65c1f3946d4694469cc
Debian Security Advisory 1860-1 - Several vulnerabilities have been discovered in Ruby.
11affe671bc325d35bbacdaba1cc0dff84af2b4d7f43397ff4731fd74ebce484
Mandriva Linux Security Advisory 2009-177 - The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type. This update corrects the problem.
0fd98c4ebc36f2cd2987b88dc0bb1f02ad698ffd6f931d8903d8e2f37cd345ee
Mandriva Linux Security Advisory 2009-160 - The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type. This update corrects the problem.
1a4fc3227a9c7ac57cc3cb0a7ef3171a6b6750fcdf5356e6937f862a5750b2ff
Ubuntu Security Notice USN-805-1 - It was discovered that Ruby did not properly validate certificates. An attacker could exploit this and present invalid or revoked X.509 certificates. It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service.
4f72a70fd200ee1273e4776e82b8528015c978b29ef39631d27d00a2af0926b2
Gentoo Linux Security Advisory GLSA 200906-02 - A flaw in the Ruby standard library might allow remote attackers to cause a Denial of Service attack. Tadayoshi Funaba reported that BigDecimal in ext/bigdecimal/bigdecimal.c does not properly handle string arguments containing overly long numbers. Versions less than 1.8.6_p369 are affected.
271e2cbee460e7669a9c6939724fce93d9eab44717c251741da107d279cd04eb