Date: Fri, 2 Jul 2010 14:59:27 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request [Microsoft Windows Ruby-v1.9.x] -- Buffer over-run leading to ACE Please use CVE-2010-2489 Thanks. -- JB ----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote: > Hi Steve, vendors, > > Ruby upstream has released latest v1.9.1-p429, v1.9.2 RC1 versions, > addressing one > security issue, present on Microsoft Windows operating systems, > where version of Ruby > language is v1.9.x based: >  > http://www.ruby-lang.org/en/news/2010/07/02/ruby-1-9-1-p429-is-released/ >  > http://www.ruby-lang.org/en/news/2010/07/02/ruby-1-9-2-rc1-is-released/ >  > http://svn.ruby-lang.org/repos/ruby/tags/v1_9_2_rc1/ChangeLog > > Quoting from : > > <begin quote> > > A security vulnerability that causes buffer overflow when you assign > a danger value to ARGF.inplace_mode on Windows. It possibly allows an > attacker to execute an arbitrary code. > > The affected versions are: > > * Ruby 1.9.1 patchlevel 378 and all prior versions. > * Ruby 1.9.2 preview 3 and all prior versions. > * Development versions of Ruby 1.9 (1.9.3dev). > > I recommend you to upgrade your ruby 1.9 to 1.9.1-p429 or 1.9.2-rc1. > > The vulnerability does not directly affect to Ruby 1.8 series. > Credit > > The vulnerability was found and reported by Masaya TARUI. > > <end quote> > > Though this not affecting the Linux version of Ruby, we will need a > CVE identifier > for purpose of properly tracking is. > > Steve, could you please allocate one? > > Thanks && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ