Описание
ELSA-2014-1913: ruby193-ruby security update (MODERATE)
[1.9.3.484-50.0.1]
- fix build issue: self test report 'dh key to small'
[1.9.3.484-50]
- Fix off-by-one stack-based buffer overflow in the encodes() function (CVE-2014-4975). Related: rhbz#1164004
- Fix REXML billion laughs attack via parameter entity expansion (CVE-2014-8080). Related: rhbz#1164004
- REXML incomplete fix for CVE-2014-8080 (CVE-2014-8090). Related: rhbz#1164004
Обновленные пакеты
Oracle Linux 6
Oracle Linux x86_64
ruby193-ruby
1.9.3.484-50.0.1.el6
ruby193-ruby-devel
1.9.3.484-50.0.1.el6
ruby193-ruby-doc
1.9.3.484-50.0.1.el6
ruby193-ruby-irb
1.9.3.484-50.0.1.el6
ruby193-ruby-libs
1.9.3.484-50.0.1.el6
ruby193-ruby-tcltk
1.9.3.484-50.0.1.el6
ruby193-rubygem-bigdecimal
1.1.0-50.0.1.el6
ruby193-rubygem-io-console
0.3-50.0.1.el6
ruby193-rubygem-json
1.5.5-50.0.1.el6
ruby193-rubygem-minitest
2.5.1-50.0.1.el6
ruby193-rubygem-rake
0.9.2.2-50.0.1.el6
ruby193-rubygem-rdoc
3.9.5-50.0.1.el6
ruby193-rubygems
1.8.23-50.0.1.el6
ruby193-rubygems-devel
1.8.23-50.0.1.el6
Связанные CVE
Связанные уязвимости
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.