RHSA-2004:441-01: Updated ruby package fixes security flaw
Posted on: 09/30/2004 11:51 AM

Updated ruby packages are available for Red Hat Enterprise Linux 2.1 and 3

----------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Updated ruby package fixes security flaw
Advisory ID: RHSA-2004:441-01
Issue date: 2004-09-30
Updated on: 2004-09-30
Product: Red Hat Enterprise Linux
Keywords: file permission
CVE Names: CAN-2004-0755
----------------------------------------------------------------------

1. Summary:

An updated ruby package that fixes insecure file permissions for CGI session files is now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

Ruby is an interpreted scripting language for object-oriented programming.

Andres Salomon reported an insecure file permissions flaw in the CGI session management of Ruby. FileStore created world readable files that could allow a malicious local user the ability to read CGI session data. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0755 to this issue.

Users are advised to upgrade to this erratum package, which contains a backported patch to CGI::Session FileStore.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

130065 - CAN-2004-0755 ruby insecure file permissions

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm
eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm

i386:
8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm
ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm
b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm
dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm
b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm
eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm

i386:
8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm
ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm
b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm
dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm
b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm
eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm

i386:
8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm
ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm
b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm
dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm
b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm

ia64:
54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm
3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm
bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm
f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm

ppc:
e111badd02691f2d3af1228cfd1305ad ruby-1.6.8-9.EL3.2.ppc.rpm
71f4002652015dc1394d1a0707dac921 ruby-devel-1.6.8-9.EL3.2.ppc.rpm
2834716a178d5c22b2a0bdc3c18e4569 ruby-libs-1.6.8-9.EL3.2.ppc.rpm
c722c0ce315e1e5a4229e94b1518ba30 ruby-mode-1.6.8-9.EL3.2.ppc.rpm

s390:
ba3145afb52bc659a5efcc0452a55ff3 ruby-1.6.8-9.EL3.2.s390.rpm
e52eb4855a8501f0c2fccf2b1e3524aa ruby-devel-1.6.8-9.EL3.2.s390.rpm
6b18d38bd6d62c84d757f229845b6079 ruby-libs-1.6.8-9.EL3.2.s390.rpm
0cf38f2a6c42ceb80a674bcc9ffa557d ruby-mode-1.6.8-9.EL3.2.s390.rpm

s390x:
7292fe703498f5ee33a20d69f7ad6cd1 ruby-1.6.8-9.EL3.2.s390x.rpm
e1ff142228b28536b4a3977db8d430a7 ruby-devel-1.6.8-9.EL3.2.s390x.rpm
c1849a6c9570941144914d7d518d71e8 ruby-libs-1.6.8-9.EL3.2.s390x.rpm
fd9f25954b2d1b87d521848a6bf2501b ruby-mode-1.6.8-9.EL3.2.s390x.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm

ia64:
54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm
3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm
bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm
f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm

ia64:
54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm
3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm
bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm
f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755

8. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.


Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/rhsa_2004441_01_updated_ruby_package_fixes_security_flaw.html)