-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:160 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ruby Date : July 27, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type. This update corrects the problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1904 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 023e157e46bd5bd7459e965fa09c3648 2008.1/i586/ruby-1.8.6-9p114.3mdv2008.1.i586.rpm a21992cd7008cd9aef8387181b94d67d 2008.1/i586/ruby-devel-1.8.6-9p114.3mdv2008.1.i586.rpm 0a85f97c48fb3be6aab45e03318b7ab3 2008.1/i586/ruby-doc-1.8.6-9p114.3mdv2008.1.i586.rpm b3af576494298b07e2c7b9c216c06d9f 2008.1/i586/ruby-tk-1.8.6-9p114.3mdv2008.1.i586.rpm fb5a1433a4d764a8e74782bf000f3b5d 2008.1/SRPMS/ruby-1.8.6-9p114.3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: b7a23f5b04ce3f274e414ab97578fc6a 2008.1/x86_64/ruby-1.8.6-9p114.3mdv2008.1.x86_64.rpm 8a76ef7557b8e30393edbc5e7d85a826 2008.1/x86_64/ruby-devel-1.8.6-9p114.3mdv2008.1.x86_64.rpm a578aa2ec9a865778ea40c3162f87d18 2008.1/x86_64/ruby-doc-1.8.6-9p114.3mdv2008.1.x86_64.rpm 37cc5a1f43a81db852642d74a0722dc1 2008.1/x86_64/ruby-tk-1.8.6-9p114.3mdv2008.1.x86_64.rpm fb5a1433a4d764a8e74782bf000f3b5d 2008.1/SRPMS/ruby-1.8.6-9p114.3mdv2008.1.src.rpm Mandriva Linux 2009.0: 70686e958527580cdd6170e4c69c1b79 2009.0/i586/ruby-1.8.7-7p72.1mdv2009.0.i586.rpm f4163392e6383729b356b00a401f1065 2009.0/i586/ruby-devel-1.8.7-7p72.1mdv2009.0.i586.rpm fb737159f3c8ec9604c75e9ca1b30b2f 2009.0/i586/ruby-doc-1.8.7-7p72.1mdv2009.0.i586.rpm 0677b6803841bb4a6a3058c92a77b97d 2009.0/i586/ruby-tk-1.8.7-7p72.1mdv2009.0.i586.rpm 992cfbd92c67db3f76e18f4aef57b495 2009.0/SRPMS/ruby-1.8.7-7p72.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: f301015f7363b5956378dd5987acd747 2009.0/x86_64/ruby-1.8.7-7p72.1mdv2009.0.x86_64.rpm 6e4f8ef15c3e675044ff715a2ba5b953 2009.0/x86_64/ruby-devel-1.8.7-7p72.1mdv2009.0.x86_64.rpm 0c7ea2ff4e407088182040eac48a296e 2009.0/x86_64/ruby-doc-1.8.7-7p72.1mdv2009.0.x86_64.rpm 1ad365ce9723434a4975e59950c35e91 2009.0/x86_64/ruby-tk-1.8.7-7p72.1mdv2009.0.x86_64.rpm 992cfbd92c67db3f76e18f4aef57b495 2009.0/SRPMS/ruby-1.8.7-7p72.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 569f8d2203a5c676548b1b9795d703ab 2009.1/i586/ruby-1.8.7-9p72.1mdv2009.1.i586.rpm df2b8d16b9d0fa0b4dab3c806bc3643e 2009.1/i586/ruby-devel-1.8.7-9p72.1mdv2009.1.i586.rpm 69413d3a3b22f6039be86376cf11c271 2009.1/i586/ruby-doc-1.8.7-9p72.1mdv2009.1.i586.rpm 7d2ee3b518a38c12ac48377c50a513c9 2009.1/i586/ruby-tk-1.8.7-9p72.1mdv2009.1.i586.rpm 3808ba088fcc965ec8fa0a866a3263b5 2009.1/SRPMS/ruby-1.8.7-9p72.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 4ccd63e8cb926629a1c308431b29a11b 2009.1/x86_64/ruby-1.8.7-9p72.1mdv2009.1.x86_64.rpm 589238b971d9b619209abaace4748d23 2009.1/x86_64/ruby-devel-1.8.7-9p72.1mdv2009.1.x86_64.rpm f5d5dfb99dd43d8549d45cfb343efcf0 2009.1/x86_64/ruby-doc-1.8.7-9p72.1mdv2009.1.x86_64.rpm 76626abab2f83c83251bb1f0ec66b657 2009.1/x86_64/ruby-tk-1.8.7-9p72.1mdv2009.1.x86_64.rpm 3808ba088fcc965ec8fa0a866a3263b5 2009.1/SRPMS/ruby-1.8.7-9p72.1mdv2009.1.src.rpm Corporate 3.0: 08537459d909f238d66290d38c852cdc corporate/3.0/i586/ruby-1.8.1-1.12.C30mdk.i586.rpm 7fe8a837dd45a10f653c68e50f4fcc19 corporate/3.0/i586/ruby-devel-1.8.1-1.12.C30mdk.i586.rpm 517345ca6ad8b44da9b377bbc147ae28 corporate/3.0/i586/ruby-doc-1.8.1-1.12.C30mdk.i586.rpm ee288e4ba1de7c3ee07217485e13a653 corporate/3.0/i586/ruby-tk-1.8.1-1.12.C30mdk.i586.rpm 55165fb24dbe048b23e42f43626c2baa corporate/3.0/SRPMS/ruby-1.8.1-1.12.C30mdk.src.rpm Corporate 3.0/X86_64: 88ff118792ab4b5d63e7029d6092e278 corporate/3.0/x86_64/ruby-1.8.1-1.12.C30mdk.x86_64.rpm 0c650d9ef35da1b3e737da192a7c1880 corporate/3.0/x86_64/ruby-devel-1.8.1-1.12.C30mdk.x86_64.rpm 5250acbab6ac96ff609058b21b2b4d4f corporate/3.0/x86_64/ruby-doc-1.8.1-1.12.C30mdk.x86_64.rpm 2a3b9bc75e1e87dc7f9efab7e5917394 corporate/3.0/x86_64/ruby-tk-1.8.1-1.12.C30mdk.x86_64.rpm 55165fb24dbe048b23e42f43626c2baa corporate/3.0/SRPMS/ruby-1.8.1-1.12.C30mdk.src.rpm Corporate 4.0: 73d52e81686a8b66aa3d2a086c7a3026 corporate/4.0/i586/ruby-1.8.2-7.9.20060mlcs4.i586.rpm 611ce2ab1531b68eee6e8c6e74dcfdd2 corporate/4.0/i586/ruby-devel-1.8.2-7.9.20060mlcs4.i586.rpm edd29ede767cf6f1d86b464178f29eb7 corporate/4.0/i586/ruby-doc-1.8.2-7.9.20060mlcs4.i586.rpm 206e45ae9a72010f804079036d2a4ab5 corporate/4.0/i586/ruby-tk-1.8.2-7.9.20060mlcs4.i586.rpm 2f4d6065fc086f6951e86803584bda47 corporate/4.0/SRPMS/ruby-1.8.2-7.9.20060mlcs4.src.rpm Corporate 4.0/X86_64: 02d54f82e346b17faf032e7af31b6a5c corporate/4.0/x86_64/ruby-1.8.2-7.9.20060mlcs4.x86_64.rpm 25b84b1233734f1659902422897a6d95 corporate/4.0/x86_64/ruby-devel-1.8.2-7.9.20060mlcs4.x86_64.rpm 1d76ad5f96eb0d98639915b9d20ad293 corporate/4.0/x86_64/ruby-doc-1.8.2-7.9.20060mlcs4.x86_64.rpm c8d6a19d6eb45c45ab1cfc3aca93d44c corporate/4.0/x86_64/ruby-tk-1.8.2-7.9.20060mlcs4.x86_64.rpm 2f4d6065fc086f6951e86803584bda47 corporate/4.0/SRPMS/ruby-1.8.2-7.9.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKbghzmqjQ0CJFipgRAvUBAJwNTTiHmiJZJyH4sE70Oksrp4hbcwCgr81B WBWGkZm4NufFwspn8eu72Yk= =mJlB -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/