Gentoo Linux Security Advisory 201412-27 - Multiple vulnerabilities have been found in Ruby, allowing context-dependent attackers to cause a Denial of Service condition. Versions less than 2.0.0_p598 are affected.
54e66264d3d6d38c3086840b65a1d59298b94700ea2d898a1673e706acdba6e8
Debian Linux Security Advisory 2809-1 - Several vulnerabilities have been discovered in the interpreter for the Ruby language.
8cf75779505f2c2d90a0e3c0b819ef71e8ce28e7a5c7874d20b80f024dd05ae3
Red Hat Security Advisory 2013-1185-01 - Red Hat JBoss Fuse 6.0.0, based on Apache ServiceMix, provides an integration platform. Red Hat JBoss Fuse 6.0.0 patch 2 is an update to Red Hat JBoss Fuse 6.0.0 and includes bug fixes.
0939186bded3bc21379c4815dec6ff27fa7ec3cd68880f3f51e0f782423a24ac
Debian Linux Security Advisory 2738-1 - Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems.
5ee13cb1795d7a48b2912c75782eed27a5d04bc434a31b0a2a81f910b352d4a0
Red Hat Security Advisory 2013-1147-01 - Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing, modern, and future integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA Platform 5.3.1. It includes various bug fixes. The following security issues are also fixed with this release: The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
11be102b169787b03d6c2152f3add04d435de5e2cb57176df49df6ccdaf958a5
Mandriva Linux Security Advisory 2013-200 - The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005. lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion attack. A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. The updated packages have been patched to correct these issues.
736656b494186a6b0fd429a99fa38e28936ba86fe90a953f36f4d67cff987694
Red Hat Security Advisory 2013-1028-01 - Fuse ESB Enterprise, based on Apache ServiceMix, provides an integration platform. This release of Fuse ESB Enterprise 7.1.0 roll up patch 1 is an update to Fuse ESB Enterprise 7.1.0 and includes bug fixes.
dbfdd55df544378dcc45bbf34e83daecacebea4051e3922e1233975573bd1954
Mandriva Linux Security Advisory 2013-124 - Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels. An attacker could use this flaw to bypass intended access restrictions. It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory.
3e2e417902b29eb528c22b29313b488fc00b3906282a6db4beb95befcf297016
Ubuntu Security Notice 1780-1 - Ben Murphy discovered that the Ruby REXML library incorrectly handled XML entity expansion. An attacker could use this flaw to cause Ruby to consume large amounts of memory, resulting in a denial of service.
c6dc7d6236b591435b374ba598fdfef6655065b7422004c2048c7595f92c7408
Slackware Security Advisory - New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix security issues. Related CVE Numbers: CVE-2013-0269,CVE-2013-1821.
70a8eb7a223701d6486e1e966e766e93b9134439ef37ecbdbb2e91516d3ffa3e
Red Hat Security Advisory 2013-0612-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. It was found that the RHSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted code to modify arbitrary, trusted strings, which safe level 4 restrictions would otherwise prevent.
32e3a547a3c0a24367f1996785cb9cda8c3f06349a10fc8e3db711bfb8a5421d
Red Hat Security Advisory 2013-0611-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve this issue.
c3980a088e566cc19050f1da5ff225025caeb15e2f077158cb8730b7a09d6a12