From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1651-1
[email protected] http://www.debian.org/security/ Moritz Muehlenhoff October 12, 2008
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : ruby1.8
Vulnerability : several
Problem-Type : local(remote)
Debian-specific: no
CVE ID : CVE-2008-3655 CVE-2008-3656 CVE-2008-3657 CVE-2008-3790 CVE-2008-3905
Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may lead to denial of service and other
security problems. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2008-3655
Keita Yamaguchi discovered that several safe level restrictions
are insufficiently enforced.
CVE-2008-3656
Christian Neukirchen discovered that the WebRick module uses
inefficient algorithms for HTTP header splitting, resulting in
denial of service through resource exhaustion.
CVE-2008-3657
It was discovered that the dl module doesn't perform taintness
checks.
CVE-2008-3790
Luka Treiber and Mitja Kolsek discovered that recursively nested
XML entities can lead to denial of service through resource
exhaustion in rexml.
CVE-2008-3905
Tanaka Akira discovered that the resolv module uses sequential
transaction IDs and a fixed source port for DNS queries, which
makes it more vulnerable to DNS spoofing attacks.
For the stable distribution (etch), these problems have been fixed in
version 1.8.5-4etch3. Packages for arm will be provided later.
For the unstable distribution (sid), these problems have been fixed in
version 1.8.7.72-1.
We recommend that you upgrade your ruby1.8 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5.orig.tar.gz
Size/MD5 checksum: 4434227 aae9676332fcdd52f66c3d99b289878f
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch3.dsc
Size/MD5 checksum: 1079 4c7df61bd710db620b87ae0a3b98d388
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch3.diff.gz
Size/MD5 checksum: 142603 f7c9366a3e04f00f5d4e7deb5d27eaf9
Architecture independent packages:
http://security.debian.org/pool/updates/main/r/ruby1.8/ri1.8_1.8.5-4etch3_all.deb
Size/MD5 checksum: 1241006 d8312745f5bf656d950323c6c9761e1e
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-elisp_1.8.5-4etch3_all.deb
Size/MD5 checksum: 211002 1b5eefc0ee08f8224b14e9cc887c408e
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-examples_1.8.5-4etch3_all.deb
Size/MD5 checksum: 245020 e16a6c9adf8603359b5031e46185bf25
http://security.debian.org/pool/updates/main/r/ruby1.8/irb1.8_1.8.5-4etch3_all.deb
Size/MD5 checksum: 235612 69142939deabd04310455bb13f288c66
http://security.debian.org/pool/updates/main/r/ruby1.8/rdoc1.8_1.8.5-4etch3_all.deb
Size/MD5 checksum: 310244 e321a815c462f98b404b8c1665d1b55f
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch3_alpha.deb
Size/MD5 checksum: 903552 ad6a8ddd2bf50091f4379509c7b6cef4
http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.5-4etch3_alpha.deb
Size/MD5 checksum: 1869012 1a2090d92784326905495c96fe508bf2
http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch3_alpha.deb
Size/MD5 checksum: 198226 b11408bce9fbb392955416fb76d3f6b8
http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch3_alpha.deb
Size/MD5 checksum: 199160 e087c534968b3ee42d5c1a8eb271ffb0
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch3_alpha.deb
Size/MD5 checksum: 1638944 58b67c19df5d4394619792d1b8b40c03
http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch3_alpha.deb
Size/MD5 checksum: 199128 5ff5a9ca775487dcd3eb6d1e1d4eb180
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch3_alpha.deb
Size/MD5 checksum: 219386 d12ee43d6a3f38b98852fedc2349d3d5
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch3_alpha.deb
Size/MD5 checksum: 1075242 ce403140ff57e22f5260226ff3d9325c
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch3_alpha.deb
Size/MD5 checksum: 301056 98e0e061f488d2b111f032a19d5a1060
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.5-4etch3_amd64.deb
Size/MD5 checksum: 1068652 90b93dcde06d9ddcdee05ace2c42bb9e
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch3_amd64.deb
Size/MD5 checksum: 217282 f7c81dbf89b107a334ecd4bb4da66ba6
http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch3_amd64.deb
Size/MD5 checksum: 198082 006299a09bf2074c481322dfbce9dfe6
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch3_amd64.deb
Size/MD5 checksum: 302902 6ef6a2d83f8b158b62ea62f3c4bba3fa
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch3_amd64.deb
Size/MD5 checksum: 1586654 9d7b4530804e8089a08a95c39bdeabbe
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.5-4etch3_amd64.deb
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)