Tuesday, July 9, 2013

[USN-1902-1] Ruby vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJR3CoFAAoJEGVp2FWnRL6Tn0QP/2ImHi53ZCKtcR6Y4w8Hl+nd
j/k2fqzZ7cEycQOJDWyAR3VtGYkPGWz+QLiby2oBg1fU6aiqYjY/976MgX54dwxs
NyVecMwq/18DCamC7f8QYqLcfSwJi62IFUfowQ2hdmwZAcmBb7npSZaXSQlBt9o2
OC22BaWLYc0P+VhexmtquM2ZEwx74BG7vCkRCmnGlp4P2ahhDN3zCowGvquY2qYh
lZA45aCi6BAbbxcOyTgugegxwVTr4S/0WeuaJUkkEW/I86nd8Au3jMcEvuelyCop
/ZRETxwOiR69VHyvcCoYRjvHlVTHaxmpHkxZiYvwVgxlKM8NUACnWBAhVBKvCyFJ
3DoS/nPSs03TFCKPwWURN6H1OGJK0kIUFMe+nz0DMivBJ2yJqafxPmk3YBM7HhIO
cfd2TaC6eHVQDkOwrWTONz3pcXU8YFpVcK4BS5iIvKOEz1r0RqDYBTui8a5ujdt9
ZXA/1PNdqheNXBnGxii/IxJBb/5YlwX88Y0IJnp6KtqJPQwWrLrdMrX0P5OcFJ6q
UV2Hq6zc4BjJz65+U1sRzlCcq8TJ/gARCkwx6K3/iZFSvhVQ4IqpuX84yNnQzxS3
EwS5iR+0naD0sRvvK6m0MzCUdgKpNEngNQp2Fo8MZFEQLDZniWMUpsXyGjWccnlz
YPHZEH6H/C7iMjCvl5pU
=hESE
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1902-1
July 09, 2013

ruby1.8, ruby1.9.1 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

An attacker could trick Ruby into trusting a rogue server.

Software Description:
- ruby1.8: Object-oriented scripting language
- ruby1.9.1: Object-oriented scripting language

Details:

William (B.J.) Snow Orvis discovered that Ruby incorrectly verified the
hostname in SSL certificates. An attacker could trick Ruby into trusting a
rogue server certificate, which was signed by a trusted certificate
authority, to perform a man-in-the-middle attack.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
libruby1.8 1.8.7.358-7ubuntu1.1
libruby1.9.1 1.9.3.194-8.1ubuntu1.1
ruby1.8 1.8.7.358-7ubuntu1.1
ruby1.9.1 1.9.3.194-8.1ubuntu1.1

Ubuntu 12.10:
libruby1.8 1.8.7.358-4ubuntu0.3
libruby1.9.1 1.9.3.194-1ubuntu1.5
ruby1.8 1.8.7.358-4ubuntu0.3
ruby1.9.1 1.9.3.194-1ubuntu1.5

Ubuntu 12.04 LTS:
libruby1.8 1.8.7.352-2ubuntu1.3
libruby1.9.1 1.9.3.0-1ubuntu2.7
ruby1.8 1.8.7.352-2ubuntu1.3
ruby1.9.1 1.9.3.0-1ubuntu2.7

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1902-1
CVE-2013-4073

Package Information:
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.358-7ubuntu1.1
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-8.1ubuntu1.1
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.358-4ubuntu0.3
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-1ubuntu1.5
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.352-2ubuntu1.3
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.0-1ubuntu2.7

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)