ruby-1.8.7.352-3.0.1.AXS4
エラータID: AXSA:2012-54:01
リリース日:
2012/02/01 Wednesday - 12:54
題名:
ruby-1.8.7.352-3.0.1.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
Low
Description:
以下項目について対処しました。
[Security Fix]
- Ruby の SecureRandom.random_bytes 関数には,初期化のためにプロセス ID 値を頼っており,同じ PID を持つ以前のプロセスで得たランダムな文字列の知識を利用することで攻撃者が実際の文字列を予測しやすくなる脆弱性があります。(CVE-2011-2705)
- Ruby は フォークする際に乱数種をリセットしておらず,異なった子プロセスで取得された数列の知識を利用することで,攻撃者が乱数の値を予測することのできる脆弱性があります。(CVE-2011-3009)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2011-2705
The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.
The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.
CVE-2011-3009
Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900.
Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900.
追加情報:
N/A
ダウンロード:
SRPMS
- ruby-1.8.7.352-3.0.1.AXS4.src.rpm
MD5: ab76687f71a7e62b10e86c6cbc7e518a
SHA-256: 486f48cc7e725e1a428bc86724dffdfeef0c9b1710026b97e0ba5c79f219554c
Size: 8.28 MB
Asianux Server 4 for x86
- ruby-1.8.7.352-3.0.1.AXS4.i686.rpm
MD5: c1077a522cd17987f35731a7db2951b6
SHA-256: 7f57fc0c9ed31e547b6437c02cf503f02ad551b71009b0a352577840160431ff
Size: 531.37 kB - ruby-irb-1.8.7.352-3.0.1.AXS4.i686.rpm
MD5: a7692b96cc057f380e697cdcd3073e27
SHA-256: edfc03f4410214e5de008a116d5e7863d6737d51c69ac3c78322647afa3322d7
Size: 310.56 kB - ruby-libs-1.8.7.352-3.0.1.AXS4.i686.rpm
MD5: 49a0811ea8847ce2e440f3dcfa8ac30e
SHA-256: 784b5b920ff2c48530dff58a7754033d4a217f879504b58e221d7194730e2ff5
Size: 1.64 MB
Asianux Server 4 for x86_64
- ruby-1.8.7.352-3.0.1.AXS4.x86_64.rpm
MD5: f4b9536b2b9f55c97f902bf459b21af2
SHA-256: b0da0c2172a84f72b1b3a0cc9428ff14a531ccc5b4c482cf1f4f255e997cceed
Size: 531.07 kB - ruby-irb-1.8.7.352-3.0.1.AXS4.x86_64.rpm
MD5: 02436b1e06e9aeb48ef15a2e6cda84cc
SHA-256: ccc652baf8fa614b77129e3a62a70e529bf4424cf5b8538c70909d4c5b265aa8
Size: 310.09 kB - ruby-libs-1.8.7.352-3.0.1.AXS4.x86_64.rpm
MD5: 42d7551ff2acbaa7d54bef89dbca873c
SHA-256: 5b8d95b2b15a4ac37755abcbef02d0fcbf5a9406fae28a083066bc05172ca3b2
Size: 1.64 MB - ruby-libs-1.8.7.352-3.0.1.AXS4.i686.rpm
MD5: 49a0811ea8847ce2e440f3dcfa8ac30e
SHA-256: 784b5b920ff2c48530dff58a7754033d4a217f879504b58e221d7194730e2ff5
Size: 1.64 MB