Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0613 -- RHSA-2004:441-01 Updated ruby package fixes security flaw 1 October 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby Publisher: Red Hat Operating System: Red Hat Desktop version 3 Red Hat Enterprise Linux AS/ES/WS 3 Red Hat Enterprise Linux AS/ES/WS 2.1 Linux variants UNIX variants Impact: Read-only Data Access Access: Existing Account CVE Names: CAN-2004-0755 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated ruby package fixes security flaw Advisory ID: RHSA-2004:441-01 Issue date: 2004-09-30 Updated on: 2004-09-30 Product: Red Hat Enterprise Linux Keywords: file permission CVE Names: CAN-2004-0755 - - --------------------------------------------------------------------- 1. Summary: An updated ruby package that fixes insecure file permissions for CGI session files is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Ruby is an interpreted scripting language for object-oriented programming. Andres Salomon reported an insecure file permissions flaw in the CGI session management of Ruby. FileStore created world readable files that could allow a malicious local user the ability to read CGI session data. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0755 to this issue. Users are advised to upgrade to this erratum package, which contains a backported patch to CGI::Session FileStore. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 130065 - CAN-2004-0755 ruby insecure file permissions 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm i386: 8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm 95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm i386: 8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm 95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm i386: 8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm 95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm 4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm i386: b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm ia64: 54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm 3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm ppc: e111badd02691f2d3af1228cfd1305ad ruby-1.6.8-9.EL3.2.ppc.rpm 71f4002652015dc1394d1a0707dac921 ruby-devel-1.6.8-9.EL3.2.ppc.rpm 2834716a178d5c22b2a0bdc3c18e4569 ruby-libs-1.6.8-9.EL3.2.ppc.rpm c722c0ce315e1e5a4229e94b1518ba30 ruby-mode-1.6.8-9.EL3.2.ppc.rpm s390: ba3145afb52bc659a5efcc0452a55ff3 ruby-1.6.8-9.EL3.2.s390.rpm e52eb4855a8501f0c2fccf2b1e3524aa ruby-devel-1.6.8-9.EL3.2.s390.rpm 6b18d38bd6d62c84d757f229845b6079 ruby-libs-1.6.8-9.EL3.2.s390.rpm 0cf38f2a6c42ceb80a674bcc9ffa557d ruby-mode-1.6.8-9.EL3.2.s390.rpm s390x: 7292fe703498f5ee33a20d69f7ad6cd1 ruby-1.6.8-9.EL3.2.s390x.rpm e1ff142228b28536b4a3977db8d430a7 ruby-devel-1.6.8-9.EL3.2.s390x.rpm c1849a6c9570941144914d7d518d71e8 ruby-libs-1.6.8-9.EL3.2.s390x.rpm fd9f25954b2d1b87d521848a6bf2501b ruby-mode-1.6.8-9.EL3.2.s390x.rpm x86_64: 3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm 160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm 8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm 4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm i386: b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm x86_64: 3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm 160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm 8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm 4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm i386: b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm ia64: 54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm 3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm x86_64: 3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm 160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm 8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm 4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm i386: b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm ia64: 54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm 3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm x86_64: 3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm 160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm 8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBXB3gXlSAg2UNWIIRAkXLAKChOubcTfVhoSGLL/DRgUQbMxbD2wCfRlBD foKv94hXR1OqHdgnMd45cGE= =mE/N - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQVyseSh9+71yA2DNAQJfIQP/clLEUH6+PKhDPGG9zeK6KorryeF/FHBN 4SDbYapW3ejrQFwCB+WhgDnvL4h2Mek8TLgAxMW97+zuHxMgpO2vbmkvRGvVTPcg VyhpgttzxeAAjlsRAeI5Iofp5fBvEjQD6fhI0PjrlQyYKcrPuH7ihFZy7LLynHwD n0n/FD+hvJQ= =M65E -----END PGP SIGNATURE-----