-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0061
         Two vulnerabilities have been identified in Ruby prior to
                            version 1.9.3-p194
                               20 April 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Ruby
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Reduced Security -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
Member content until: Sunday, May 20 2012

OVERVIEW

        Two vulnerabilities have been identified in Ruby prior to version 
        1.9.3-p194.


IMPACT

        The vendor has provided the following description for this 
        vulnerability:
        
        "This release includes two security fixes in RubyGems.
        
        Turn on verification of server SSL certs
        Disallow redirects from https to http" [1]
        
        "This release increases the security used when RubyGems is talking to 
        an https server. If you use a custom RubyGems server over SSL, this 
        release will cause RubyGems to no longer connect unless your SSL cert 
        is globally valid.
        
        You can configure SSL certificate usage in RubyGems through the 
        :sslca_cert and :sslverify_mode options in ~/.gemrc and /etc/gemrc. The 
        recommended way is to set :ssl_ca_cert to the CA certificate for your 
        server or a certificate bundle containing your CA certification.
        
        You may also set :sslverifymode to 0 to completely disable SSL 
        certificate checks, but this is not recommended." [1]


MITIGATION

        The vendor recommends upgrading to the latest version of Ruby
        to correct these issues. [1]


REFERENCES

        [1] Ruby 1.9.3-p194 is released
            http://www.ruby-lang.org/en/news/2012/04/20/ruby-1-9-3-p194-is-released/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT5EC/e4yVqjM2NGpAQKtFRAAplVZx+VsD3MNP8fEwotIUGPQKg/XT3EU
MH3Qmi7jTqeKsU0Zo5M11ZFKfv+X857yeIPnlwWqaWZA7BUJ+RG6L/+JqJ65l7oE
Y3wxLGsNO9e08Gtg6jOVQX6kuSqO/7ULxm37C3A5Qr8zzGajJUYiPw3vjXXHlIlv
WTzkWjpNMmC6LWUg/yLP9DxMmuXL0gbx5/f5GY3kbihckAEzfyElNtAxBjiGtENc
xcQZ1b/+cvIhOEirj9etnAD1ZB+hwX4cRzJ1BE26asNv0YYrObBRWdkwG7ctAIXS
hQ5VFpuoxp2VVKyyVjA7YAqqoGkEyHh8taqg0HXeYv3iE6efYhs6lww2niPQeqwG
uRKhVWZaqxX/wLIR2e1eYtm+ccj0wFHffThIXexk4CB68/IYyYHXa3Zhr+X4pG8c
jHO4HaB9kJEKt8urtYDpO/ZrbiXlcajXwNXcdK6ULdIZoa8rnWahFoB6ACS75wVo
t4eG45lmp2rbfwCv7rcYy3ReK9OlwgiuThZ79uJb5wbNOwYVUkuB8jAe0ucoY++R
0kv5522CIBzyyY/qv4CfYi77ejboXsUO8xtP/eGEkX06ZmxebbRRTgKeXAXM5u0A
yoiicF4z1IsrRQ5xdDEEucbm3xDzcucGoTKAk715UHNz1szHHfiy7nSpeI3vmECI
n7s2jDxgVe4=
=eHIy
-----END PGP SIGNATURE-----