ruby-1.8.7.299-7.1.0.1.AXS4

エラータID: AXSA:2011-614:01

リリース日: 
2011/12/28 Wednesday - 11:55
題名: 
ruby-1.8.7.299-7.1.0.1.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.
Security issues fixed with this release:
CVE-2011-0188
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue."
CVE-2011-1004
The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.
CVE-2011-1005
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.

解決策: 

Update packages.

CVE: 
CVE-2011-0188
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue."
CVE-2011-1004
The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.
CVE-2011-1005
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.




追加情報: 

From Asianux Server 4 SP1.

ダウンロード: 

SRPMS
  1. ruby-1.8.7.299-7.1.0.1.AXS4.src.rpm
    MD5: 579bdf507aa162acc03d004a2b8d7cfa
    SHA-256: c4819dac6349b816b961412cb5b8e43f21ce7d278535bcfe63b4aef2d569bc3b
    Size: 8.25 MB

Asianux Server 4 for x86
  1. ruby-1.8.7.299-7.1.0.1.AXS4.i686.rpm
    MD5: 1a3b4ff73ac86a8211b48c854ab4c216
    SHA-256: 22dbddebdf2ec77dc140b058158920c515ff262c40bae393527691015b7e4413
    Size: 525.06 kB
  2. ruby-irb-1.8.7.299-7.1.0.1.AXS4.i686.rpm
    MD5: 4b407638c6a05ce632da3b77d88833e8
    SHA-256: dae1d47d66e666f8fcf1080aa04da32c9721bf6f0cbbc879f217d8c2321bc817
    Size: 305.40 kB
  3. ruby-libs-1.8.7.299-7.1.0.1.AXS4.i686.rpm
    MD5: 6336f06bdafc4664bc5d85dc6f5c746f
    SHA-256: ef7703245fe529494ee69fbfa83a06f159c7290f7c67f63d1970f9a52ab2e60a
    Size: 1.64 MB

Asianux Server 4 for x86_64
  1. ruby-1.8.7.299-7.1.0.1.AXS4.x86_64.rpm
    MD5: 59dd30809033c8161bd2fc4d75f7f0a7
    SHA-256: 4c6887d9240e02993677de825a12b785257c4727a65f9a92d2d4d7a51b0b3441
    Size: 524.75 kB
  2. ruby-irb-1.8.7.299-7.1.0.1.AXS4.x86_64.rpm
    MD5: d7f52bd9ea9cbb52cfd0ca1ea72c9792
    SHA-256: a983da7e0c5079a406e6bccd11ce0e25ab0aa044f241a2ca337f2cf72dadffb4
    Size: 304.92 kB
  3. ruby-libs-1.8.7.299-7.1.0.1.AXS4.x86_64.rpm
    MD5: 447cab289ccdfe07a49392767962f368
    SHA-256: 486a7d3b9ba5819e2aa099356e355059064251a7a3a6af9b1e30f3870ea071df
    Size: 1.63 MB
  4. ruby-libs-1.8.7.299-7.1.0.1.AXS4.i686.rpm
    MD5: 6336f06bdafc4664bc5d85dc6f5c746f
    SHA-256: ef7703245fe529494ee69fbfa83a06f159c7290f7c67f63d1970f9a52ab2e60a
    Size: 1.64 MB