ruby Vulnerability / portupgrade

2006-11-13 Thread Jeff Dickens 

Regarding the following vulnerabilities as detected by portaudit:

   Affected package: ruby-1.8.4_4,1
   Type of problem: ruby -- cgi.rb library Denial of Service.
   Reference:
   
http://www.FreeBSD.org/ports/portaudit/ab8dbe98-6be4-11db-ae91-0012f06707f0.html

   Affected package: ruby-1.8.4_4,1
   Type of problem: ruby - multiple vulnerabilities.
   Reference:
   
http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html

I see that ruby is only required by portupgrade.  Anyone know if there going to 
be a fix for this vulnerability any time soon? Anyone asked the ruby guys?

   # pkg_info -R ruby-1.8.4_4,1
   Information for ruby-1.8.4_4,1:

   Required by:
   portupgrade-2.0.1_1,1
   ruby18-bdb1-0.2.2

   # pkg_info -R ruby18-bdb1-0.2.2
   Information for ruby18-bdb1-0.2.2:

   Required by:
   portupgrade-2.0.1_1,1

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ruby Vulnerability / portupgrade

2006-11-13 Thread Karol Kwiatkowski 
Hi Jeff,

On 13/11/2006 16:35, Jeff Dickens wrote:
 Regarding the following vulnerabilities as detected by portaudit:
 
Affected package: ruby-1.8.4_4,1
Type of problem: ruby -- cgi.rb library Denial of Service.
Reference:
   
 http://www.FreeBSD.org/ports/portaudit/ab8dbe98-6be4-11db-ae91-0012f06707f0.html

From the link:

% Affects:
% *  ruby =1.8.* 1.8.5_4,1
% *  ruby_static =1.8.* 1.8.5_4,1

The latest version of ruby in ports is 1.8.5_4,1 which is not affected[1].


Affected package: ruby-1.8.4_4,1
Type of problem: ruby - multiple vulnerabilities.
Reference:
   
 http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html

Hmmm... not sure about this one, but if I'm reading CVE-2006-3694[2]
right ruby 1.8.5 is not affected. portaudit is not complaining, too.

HTH,

Karol

[1]
http://www.freebsd.org/cgi/getmsg.cgi?fetch=2891067+0+/usr/local/www/db/text/2006/cvs-all/20061105.cvs-all
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3694

-- 
Karol Kwiatkowski  freebsd at orchid dot homeunix dot org
OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc



signature.asc
Description: OpenPGP digital signature