Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-263-1 ruby1.9.1

Debian Security Advisory

DLA-263-1 ruby1.9.1 -- LTS security update

Date Reported:

01 Jul 2015

Affected Packages:

ruby1.9.1

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 693024, Bug 700471.
In Mitre's CVE dictionary: CVE-2012-5371, CVE-2013-0269.

More information:

Two vulnerabilities were identified in the Ruby language interpreter, version 1.9.1.

• CVE-2012-5371

  Jean-Philippe Aumasson identified that Ruby computed hash values without properly restricting the ability to trigger hash collisions predictably, allowing context-dependent attackers to cause a denial of service (CPU consumption). This is a different vulnerability than CVE-2011-4815.

• CVE-2013-0269

  Thomas Hollstegge and Ben Murphy found that the JSON gem for Ruby allowed remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects.

For the squeeze distribution, theses vulnerabilities have been fixed in version 1.9.2.0-2+deb6u5 of ruby1.9.1. We recommend that you upgrade your ruby1.9.1 package.