Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to do system management tasks.
A flaw in rubygem-json and ruby193-rubygem-json allowed remote attacks by
creating different types of malicious objects. For example, it could
initiate a denial of service attack through resource consumption by using a
JSON document to create arbitrary Ruby symbols, which were never garbage
collected. It could also be exploited to create internal objects which
could allow a SQL injection attack. (CVE-2013-0269)
It was found that documentation created by rubygem-rdoc and
ruby193-rubygem-rdoc was vulnerable to a cross-site scripting (XSS) attack.
If such documentation was accessible over a network, and a remote attacker
could trick a user into visiting a specially-crafted URL, it would lead to
arbitrary web script execution in the context of the user’s session. As
rubygem-rdoc and ruby193-rubygem-rdoc are used for creating documentation
for Ruby source files (such as classes, modules, and so on), it is not a
common scenario to make such documentation accessible over the network.
(CVE-2013-0256)
Red Hat would like to thank Ruby on Rails upstream for reporting
CVE-2013-0269, and Eric Hodel of RDoc upstream for reporting CVE-2013-0256.
Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the
original reporters of CVE-2013-0269, and Evgeny Ermakov as the original
reporter of CVE-2013-0256.
Users of Red Hat OpenShift Enterprise 1.1.3 are advised to upgrade to these
updated packages, which correct these issues.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | noarch | ruby193-rubygems-devel | < 1.8.23-28.el6 | ruby193-rubygems-devel-1.8.23-28.el6.noarch.rpm |
RedHat | 6 | noarch | ruby193-rubygems | < 1.8.23-28.el6 | ruby193-rubygems-1.8.23-28.el6.noarch.rpm |
RedHat | 6 | x86_64 | ruby193-ruby-libs | < 1.9.3.327-28.el6 | ruby193-ruby-libs-1.9.3.327-28.el6.x86_64.rpm |
RedHat | 6 | x86_64 | rubygem-json | < 1.7.3-2.el6op | rubygem-json-1.7.3-2.el6op.x86_64.rpm |
RedHat | 6 | x86_64 | ruby193-ruby-devel | < 1.9.3.327-28.el6 | ruby193-ruby-devel-1.9.3.327-28.el6.x86_64.rpm |
RedHat | 6 | x86_64 | ruby193-ruby-debuginfo | < 1.9.3.327-28.el6 | ruby193-ruby-debuginfo-1.9.3.327-28.el6.x86_64.rpm |
RedHat | 6 | noarch | ruby193-ruby-irb | < 1.9.3.327-28.el6 | ruby193-ruby-irb-1.9.3.327-28.el6.noarch.rpm |
RedHat | 6 | x86_64 | ruby193-ruby | < 1.9.3.327-28.el6 | ruby193-ruby-1.9.3.327-28.el6.x86_64.rpm |
RedHat | 6 | x86_64 | ruby193-rubygem-rdoc | < 3.9.4-28.el6 | ruby193-rubygem-rdoc-3.9.4-28.el6.x86_64.rpm |
RedHat | 6 | x86_64 | ruby193-rubygem-json | < 1.5.4-28.el6 | ruby193-rubygem-json-1.5.4-28.el6.x86_64.rpm |