Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0613 -- RHSA-2004:441-01
Updated ruby package fixes security flaw
1 October 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ruby
Publisher: Red Hat
Operating System: Red Hat Desktop version 3
Red Hat Enterprise Linux AS/ES/WS 3
Red Hat Enterprise Linux AS/ES/WS 2.1
Linux variants
UNIX variants
Impact: Read-only Data Access
Access: Existing Account
CVE Names: CAN-2004-0755
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated ruby package fixes security flaw
Advisory ID: RHSA-2004:441-01
Issue date: 2004-09-30
Updated on: 2004-09-30
Product: Red Hat Enterprise Linux
Keywords: file permission
CVE Names: CAN-2004-0755
- - ---------------------------------------------------------------------
1. Summary:
An updated ruby package that fixes insecure file permissions for CGI session
files is now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
3. Problem description:
Ruby is an interpreted scripting language for object-oriented programming.
Andres Salomon reported an insecure file permissions flaw in the CGI
session management of Ruby. FileStore created world readable files that
could allow a malicious local user the ability to read CGI session data.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0755 to this issue.
Users are advised to upgrade to this erratum package, which contains a
backported patch to CGI::Session FileStore.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):
130065 - CAN-2004-0755 ruby insecure file permissions
6. RPMs required:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm
eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm
i386:
8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm
ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm
b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm
dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm
b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm
Red Hat Enterprise Linux ES version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm
eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm
i386:
8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm
ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm
b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm
dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm
b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm
Red Hat Enterprise Linux WS version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm
eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm
i386:
8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm
ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm
b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm
dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm
b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm
Red Hat Enterprise Linux AS version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm
i386:
b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm
ia64:
54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm
3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm
bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm
f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm
ppc:
e111badd02691f2d3af1228cfd1305ad ruby-1.6.8-9.EL3.2.ppc.rpm
71f4002652015dc1394d1a0707dac921 ruby-devel-1.6.8-9.EL3.2.ppc.rpm
2834716a178d5c22b2a0bdc3c18e4569 ruby-libs-1.6.8-9.EL3.2.ppc.rpm
c722c0ce315e1e5a4229e94b1518ba30 ruby-mode-1.6.8-9.EL3.2.ppc.rpm
s390:
ba3145afb52bc659a5efcc0452a55ff3 ruby-1.6.8-9.EL3.2.s390.rpm
e52eb4855a8501f0c2fccf2b1e3524aa ruby-devel-1.6.8-9.EL3.2.s390.rpm
6b18d38bd6d62c84d757f229845b6079 ruby-libs-1.6.8-9.EL3.2.s390.rpm
0cf38f2a6c42ceb80a674bcc9ffa557d ruby-mode-1.6.8-9.EL3.2.s390.rpm
s390x:
7292fe703498f5ee33a20d69f7ad6cd1 ruby-1.6.8-9.EL3.2.s390x.rpm
e1ff142228b28536b4a3977db8d430a7 ruby-devel-1.6.8-9.EL3.2.s390x.rpm
c1849a6c9570941144914d7d518d71e8 ruby-libs-1.6.8-9.EL3.2.s390x.rpm
fd9f25954b2d1b87d521848a6bf2501b ruby-mode-1.6.8-9.EL3.2.s390x.rpm
x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm
Red Hat Desktop version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm
i386:
b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm
x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm
i386:
b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm
ia64:
54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm
3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm
bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm
f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm
x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm
Red Hat Enterprise Linux WS version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm
i386:
b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm
945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm
056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm
e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm
ia64:
54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm
3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm
bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm
f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm
x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm
b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key.html#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact.html
Copyright 2004 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFBXB3gXlSAg2UNWIIRAkXLAKChOubcTfVhoSGLL/DRgUQbMxbD2wCfRlBD
foKv94hXR1OqHdgnMd45cGE=
=mE/N
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQVyseSh9+71yA2DNAQJfIQP/clLEUH6+PKhDPGG9zeK6KorryeF/FHBN
4SDbYapW3ejrQFwCB+WhgDnvL4h2Mek8TLgAxMW97+zuHxMgpO2vbmkvRGvVTPcg
VyhpgttzxeAAjlsRAeI5Iofp5fBvEjQD6fhI0PjrlQyYKcrPuH7ihFZy7LLynHwD
n0n/FD+hvJQ=
=M65E
-----END PGP SIGNATURE-----