[Bug 257122]
Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked Won't Fix for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures' Please feel free to report any other bugs you may find. ** Changed in: ruby1.9 (Ubuntu Hardy) Status: New = Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/257122 Title: Multiple vulnerabilities in Ruby To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/257122/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122]
Thank you for reporting this bug to Ubuntu. dapper has reached EOL (End of Life) and is no longer supported. As a result, this bug against dapper is being marked Won't Fix. Please see https://wiki.ubuntu.com/Releases for currently supported Ubuntu releases. Please feel free to report any other bugs you may find. ** Changed in: ruby1.9 (Ubuntu Dapper) Status: New = Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/257122 Title: Multiple vulnerabilities in Ruby To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/257122/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
** Branch linked: lp:ubuntu/dapper-updates/ruby1.8 ** Branch linked: lp:~ubuntu-branches/ubuntu/feisty/ruby1.8/feisty- security ** Branch linked: lp:ubuntu/hardy-updates/ruby1.8 ** Branch linked: lp:ubuntu/gutsy-updates/ruby1.8 -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life - http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the Gutsy task. ** Changed in: ruby1.9 (Ubuntu Gutsy) Status: New = Won't Fix -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix. ** Changed in: ruby1.9 (Ubuntu Feisty) Status: New = Won't Fix -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
Fixed via sync request in https://bugs.launchpad.net/ubuntu/+source/ruby1.9/+bug/281456 ** Changed in: ruby1.9 (Ubuntu Intrepid) Status: In Progress = Fix Released -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
Requested sync from Debian to 1.9.0.2-7 for Intrepid. See bug #281456. ** Changed in: ruby1.9 (Ubuntu Intrepid) Status: Triaged = In Progress -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.2 --- ruby1.8 (1.8.6.111-2ubuntu1.2) hardy-security; urgency=low * SECURITY UPDATE: denial of service via resource exhaustion in the REXML module (LP: #261459) - debian/patches/102_CVE-2008-3790.dpatch: adjust rexml/document.rb and rexml/entity.rb to use expansion limits - CVE-2008-3790 * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of service (LP: #246818) - debian/patches/103_CVE-2008-2376.dpatch: adjust array.c to properly check argument length - CVE-2008-2376 * SECURITY UPDATE: denial of service via multiple long requests to a Ruby socket - debian/patches/104_CVE-2008-3443.dpatch: adjust regex.c to not use ruby managed memory and check for allocation failures - CVE-2008-3443 * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122) - debian/patches/105_CVE-2008-3656.dpatch: update webrick/httputils.rb to properly check paths ending with '.' - CVE-2008-3656 * SECURITY UPDATE: predictable transaction id and source port for DNS requests (separate vulnerability from CVE-2008-1447) - debian/patches/106_CVE-2008-3905.dpatch: adjust resolv.rb to use SecureRandom for transaction id and source port - CVE-2008-3905 * SECURITY UPDATE: safe level bypass via DL.dlopen - debian/patches/107_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to propogate taint and check taintness of DLPtrData - CVE-2008-3657 * SECURITY UPDATE: safe level bypass via multiple vectors - debian/patches/108_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c and syslog.c, check for secure level 3 or higher in eval.c and make sure PROGRAM_NAME can't be modified - CVE-2008-3655 -- Jamie Strandboge [EMAIL PROTECTED] Tue, 07 Oct 2008 13:34:00 -0500 ** Changed in: ruby1.8 (Ubuntu Hardy) Status: In Progress = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1447 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-2376 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-3443 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-3655 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-3656 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-3657 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-3905 ** Changed in: ruby1.8 (Ubuntu Gutsy) Status: In Progress = Fix Released -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
This bug was fixed in the package ruby1.8 - 1.8.6.36-1ubuntu3.3 --- ruby1.8 (1.8.6.36-1ubuntu3.3) gutsy-security; urgency=low * SECURITY UPDATE: denial of service via resource exhaustion in the REXML module (LP: #261459) - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and rexml/entity.rb to use expansion limits - CVE-2008-3790 * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of service (LP: #246818) - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly check argument length - CVE-2008-2376 * SECURITY UPDATE: denial of service via multiple long requests to a Ruby socket - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby managed memory and check for allocation failures - CVE-2008-3443 * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122) - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to properly check paths ending with '.' - CVE-2008-3656 * SECURITY UPDATE: predictable transaction id and source port for DNS requests (separate vulnerability from CVE-2008-1447) - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use SecureRandom for transaction id and source port - CVE-2008-3905 * SECURITY UPDATE: safe level bypass via DL.dlopen - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to propogate taint and check taintness of DLPtrData - CVE-2008-3657 * SECURITY UPDATE: safe level bypass via multiple vectors - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c and syslog.c, check for secure level 3 or higher in eval.c and make sure PROGRAM_NAME can't be modified - CVE-2008-3655 -- Jamie Strandboge [EMAIL PROTECTED] Thu, 09 Oct 2008 08:47:35 -0500 ** Changed in: ruby1.8 (Ubuntu Feisty) Status: In Progress = Fix Released -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
This bug was fixed in the package ruby1.8 - 1.8.5-4ubuntu2.3 --- ruby1.8 (1.8.5-4ubuntu2.3) feisty-security; urgency=low * SECURITY UPDATE: denial of service via resource exhaustion in the REXML module (LP: #261459) - debian/patches/953_CVE-2008-3790.patch: adjust rexml/document.rb and rexml/entity.rb to use expansion limits - CVE-2008-3790 * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of service (LP: #246818) - debian/patches/954_CVE-2008-2376.patch: adjust array.c to properly check argument length - CVE-2008-2376 * SECURITY UPDATE: denial of service via multiple long requests to a Ruby socket - debian/patches/955_CVE-2008-3443.patch: adjust regex.c to not use ruby managed memory and check for allocation failures - CVE-2008-3443 * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122) - debian/patches/956_CVE-2008-3656.patch: update webrick/httputils.rb to properly check paths ending with '.' - CVE-2008-3656 * SECURITY UPDATE: predictable transaction id and source port for DNS requests (separate vulnerability from CVE-2008-1447) - debian/patches/957_CVE-2008-3905.patch: adjust resolv.rb to use SecureRandom for transaction id and source port - CVE-2008-3905 * SECURITY UPDATE: safe level bypass via DL.dlopen - debian/patches/958_CVE-2008-3657.patch: adjust rb_str_to_ptr and rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to propogate taint and check taintness of DLPtrData - CVE-2008-3657 * SECURITY UPDATE: safe level bypass via multiple vectors - debian/patches/959_CVE-2008-3655.patch: use rb_secure(4) in variable.c and syslog.c, check for secure level 3 or higher in eval.c and make sure PROGRAM_NAME can't be modified - CVE-2008-3655 -- Jamie Strandboge [EMAIL PROTECTED] Thu, 09 Oct 2008 09:28:03 -0500 -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
http://www.ubuntu.com/usn/usn-651-1 ** Changed in: ruby1.8 (Ubuntu Dapper) Status: In Progress = Fix Released ** Changed in: ruby1.9 (Ubuntu Intrepid) Status: New = Triaged -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
** Changed in: ruby1.8 (Ubuntu Dapper) Status: Confirmed = In Progress ** Changed in: ruby1.8 (Ubuntu Feisty) Status: Confirmed = In Progress ** Changed in: ruby1.8 (Ubuntu Gutsy) Status: Confirmed = In Progress ** Changed in: ruby1.8 (Ubuntu Hardy) Status: Confirmed = In Progress -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
** Changed in: ruby1.8 (Ubuntu) Sourcepackagename: ruby-defaults = ruby1.8 ** Changed in: ruby1.8 (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) Status: New = Confirmed ** Also affects: ruby1.9 (Ubuntu) Importance: Undecided Status: New ** Changed in: ruby1.8 (Ubuntu Intrepid) Assignee: Jamie Strandboge (jdstrand) = (unassigned) Status: Confirmed = Fix Released ** Changed in: ruby1.8 (Ubuntu Dapper) Assignee: (unassigned) = Jamie Strandboge (jdstrand) Status: New = Confirmed ** Changed in: ruby1.8 (Ubuntu Feisty) Assignee: (unassigned) = Jamie Strandboge (jdstrand) Status: New = Confirmed ** Changed in: ruby1.8 (Ubuntu Gutsy) Assignee: (unassigned) = Jamie Strandboge (jdstrand) Status: New = Confirmed ** Changed in: ruby1.8 (Ubuntu Hardy) Assignee: (unassigned) = Jamie Strandboge (jdstrand) Status: New = Confirmed ** Changed in: ruby1.9 (Ubuntu Intrepid) Assignee: (unassigned) = Jamie Strandboge (jdstrand) -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
I hate to be a nag, but this package is in main, and it's been a month, and well, the SABDFL seems to think Ubuntu has a good track record with security fixes... Well we have a better security track record than Red Hat, we do that by focusing very hard on security, making sure the updates are available as fast as possible on Ubuntu, independent studies have generally ranked Ubuntu number one. http://derstandard.at/?url=/?id=3413801 http://lwn.net/Articles/290156/ Any chance it can get fixed? ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-3790 -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
Thanks for the ping. We are working on it, but other updates have taken priority over Ruby. The open Ruby vulnerabilities are mostly denial-of- service or untrusted local script issues, which have traditionally been low priority. -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] [NEW] Multiple vulnerabilities in Ruby
*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Jamie Strandboge (jdstrand): Some vulnerabilities have been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and conduct spoofing attacks. http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in- ruby/ Vulnerable versions 1.8 series * 1.8.5 and all prior versions * 1.8.6-p286 and all prior versions * 1.8.7-p71 and all prior versions 1.9 series * r18423 and all prior revisions ** Affects: ruby-defaults (Ubuntu) Importance: Undecided Status: New -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 257122] Re: Multiple vulnerabilities in Ruby
** Visibility changed to: Public -- Multiple vulnerabilities in Ruby https://bugs.launchpad.net/bugs/257122 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs