Sign-up

ID

VAR-201311-0106


CVE

CVE-2013-4164


TITLE

Ruby Heap-based buffer overflow vulnerability

Trust: 1.4

sources: CNNVD: CNNVD-201311-353 // JVNDB: JVNDB-2013-005257

DESCRIPTION

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse. Ruby is prone to a heap-based buffer overflow vulnerability because it fails to adequate boundary checks on user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application using the affected function. Failed exploit attempts will likely crash the application. Following versions are vulnerable: Ruby 1.8 Ruby 1.9 prior to 1.9.3-p484 Ruby 2.0 prior to 2.0.0-p353 Ruby 2.1 prior to 2.1.0 preview2. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1821 Ben Murphy discovered that unrestricted entity expansion in REXML can lead to a Denial of Service by consuming all host memory. CVE-2013-4073 William (B.J.) Snow Orvis discovered a vulnerability in the hostname checking in Ruby's SSL client that could allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate issued by a trusted certification authority. For the oldstable distribution (squeeze), these problems have been fixed in version 1.8.7.302-2squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 1.8.7.358-7.1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.8.7.358-9. We recommend that you upgrade your ruby1.8 packages. Relevant releases/architectures: OpenStack 3 - noarch, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: ruby security update Advisory ID: RHSA-2013:1767-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1767.html Issue date: 2013-11-26 CVE Names: CVE-2013-4164 ===================================================================== 1. Summary: Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6.2, 6.3, and 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Compute Node EUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Compute Node EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.2) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.2) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. A buffer overflow flaw was found in the way Ruby parsed floating point numbers from their text representation. (CVE-2013-4164) All ruby users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1033460 - CVE-2013-4164 ruby: heap overflow in floating point parsing 6. Package List: Red Hat Enterprise Linux Compute Node EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm x86_64: ruby-1.8.7.352-13.el6_2.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-irb-1.8.7.352-13.el6_2.x86_64.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Compute Node EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm x86_64: ruby-1.8.7.352-13.el6_3.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.x86_64.rpm ruby-irb-1.8.7.352-13.el6_3.x86_64.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm x86_64: ruby-1.8.7.352-13.el6_4.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.x86_64.rpm ruby-irb-1.8.7.352-13.el6_4.x86_64.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-docs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm ruby-ri-1.8.7.352-13.el6_2.x86_64.rpm ruby-static-1.8.7.352-13.el6_2.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) : Source: ruby-1.8.7.352-13.el6_3.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-docs-1.8.7.352-13.el6_3.x86_64.rpm ruby-ri-1.8.7.352-13.el6_3.x86_64.rpm ruby-static-1.8.7.352-13.el6_3.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-docs-1.8.7.352-13.el6_4.x86_64.rpm ruby-ri-1.8.7.352-13.el6_4.x86_64.rpm ruby-static-1.8.7.352-13.el6_4.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm i386: ruby-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-irb-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-rdoc-1.8.7.352-13.el6_2.i686.rpm ppc64: ruby-1.8.7.352-13.el6_2.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc64.rpm ruby-devel-1.8.7.352-13.el6_2.ppc.rpm ruby-devel-1.8.7.352-13.el6_2.ppc64.rpm ruby-irb-1.8.7.352-13.el6_2.ppc64.rpm ruby-libs-1.8.7.352-13.el6_2.ppc.rpm ruby-libs-1.8.7.352-13.el6_2.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_2.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_2.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390x.rpm ruby-devel-1.8.7.352-13.el6_2.s390.rpm ruby-devel-1.8.7.352-13.el6_2.s390x.rpm ruby-irb-1.8.7.352-13.el6_2.s390x.rpm ruby-libs-1.8.7.352-13.el6_2.s390.rpm ruby-libs-1.8.7.352-13.el6_2.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_2.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_2.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-irb-1.8.7.352-13.el6_2.x86_64.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm i386: ruby-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-irb-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-rdoc-1.8.7.352-13.el6_3.i686.rpm ppc64: ruby-1.8.7.352-13.el6_3.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_3.ppc64.rpm ruby-devel-1.8.7.352-13.el6_3.ppc.rpm ruby-devel-1.8.7.352-13.el6_3.ppc64.rpm ruby-irb-1.8.7.352-13.el6_3.ppc64.rpm ruby-libs-1.8.7.352-13.el6_3.ppc.rpm ruby-libs-1.8.7.352-13.el6_3.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_3.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_3.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_3.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_3.s390x.rpm ruby-devel-1.8.7.352-13.el6_3.s390.rpm ruby-devel-1.8.7.352-13.el6_3.s390x.rpm ruby-irb-1.8.7.352-13.el6_3.s390x.rpm ruby-libs-1.8.7.352-13.el6_3.s390.rpm ruby-libs-1.8.7.352-13.el6_3.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_3.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_3.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.x86_64.rpm ruby-irb-1.8.7.352-13.el6_3.x86_64.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm i386: ruby-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-irb-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-rdoc-1.8.7.352-13.el6_4.i686.rpm ppc64: ruby-1.8.7.352-13.el6_4.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_4.ppc64.rpm ruby-devel-1.8.7.352-13.el6_4.ppc.rpm ruby-devel-1.8.7.352-13.el6_4.ppc64.rpm ruby-irb-1.8.7.352-13.el6_4.ppc64.rpm ruby-libs-1.8.7.352-13.el6_4.ppc.rpm ruby-libs-1.8.7.352-13.el6_4.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_4.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_4.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_4.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_4.s390x.rpm ruby-devel-1.8.7.352-13.el6_4.s390.rpm ruby-devel-1.8.7.352-13.el6_4.s390x.rpm ruby-irb-1.8.7.352-13.el6_4.s390x.rpm ruby-libs-1.8.7.352-13.el6_4.s390.rpm ruby-libs-1.8.7.352-13.el6_4.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_4.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_4.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.x86_64.rpm ruby-irb-1.8.7.352-13.el6_4.x86_64.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-docs-1.8.7.352-13.el6_2.i686.rpm ruby-rdoc-1.8.7.352-13.el6_2.i686.rpm ruby-ri-1.8.7.352-13.el6_2.i686.rpm ruby-static-1.8.7.352-13.el6_2.i686.rpm ruby-tcltk-1.8.7.352-13.el6_2.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_2.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc64.rpm ruby-devel-1.8.7.352-13.el6_2.ppc.rpm ruby-devel-1.8.7.352-13.el6_2.ppc64.rpm ruby-docs-1.8.7.352-13.el6_2.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_2.ppc64.rpm ruby-ri-1.8.7.352-13.el6_2.ppc64.rpm ruby-static-1.8.7.352-13.el6_2.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_2.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_2.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390x.rpm ruby-devel-1.8.7.352-13.el6_2.s390.rpm ruby-devel-1.8.7.352-13.el6_2.s390x.rpm ruby-docs-1.8.7.352-13.el6_2.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_2.s390x.rpm ruby-ri-1.8.7.352-13.el6_2.s390x.rpm ruby-static-1.8.7.352-13.el6_2.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_2.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-docs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm ruby-ri-1.8.7.352-13.el6_2.x86_64.rpm ruby-static-1.8.7.352-13.el6_2.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-docs-1.8.7.352-13.el6_3.i686.rpm ruby-ri-1.8.7.352-13.el6_3.i686.rpm ruby-static-1.8.7.352-13.el6_3.i686.rpm ruby-tcltk-1.8.7.352-13.el6_3.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_3.ppc64.rpm ruby-docs-1.8.7.352-13.el6_3.ppc64.rpm ruby-ri-1.8.7.352-13.el6_3.ppc64.rpm ruby-static-1.8.7.352-13.el6_3.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_3.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_3.s390x.rpm ruby-docs-1.8.7.352-13.el6_3.s390x.rpm ruby-ri-1.8.7.352-13.el6_3.s390x.rpm ruby-static-1.8.7.352-13.el6_3.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_3.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-docs-1.8.7.352-13.el6_3.x86_64.rpm ruby-ri-1.8.7.352-13.el6_3.x86_64.rpm ruby-static-1.8.7.352-13.el6_3.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-docs-1.8.7.352-13.el6_4.i686.rpm ruby-ri-1.8.7.352-13.el6_4.i686.rpm ruby-static-1.8.7.352-13.el6_4.i686.rpm ruby-tcltk-1.8.7.352-13.el6_4.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_4.ppc64.rpm ruby-docs-1.8.7.352-13.el6_4.ppc64.rpm ruby-ri-1.8.7.352-13.el6_4.ppc64.rpm ruby-static-1.8.7.352-13.el6_4.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_4.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_4.s390x.rpm ruby-docs-1.8.7.352-13.el6_4.s390x.rpm ruby-ri-1.8.7.352-13.el6_4.s390x.rpm ruby-static-1.8.7.352-13.el6_4.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_4.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-docs-1.8.7.352-13.el6_4.x86_64.rpm ruby-ri-1.8.7.352-13.el6_4.x86_64.rpm ruby-static-1.8.7.352-13.el6_4.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4164.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSlPJkXlSAg2UNWIIRAmGVAJ0ftFXiZwwEQYrgDr4bmR7n7pvbtQCbB8VQ Q2wQW0K2XmUcezCSz0pyQ2M= =Cisx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-2035-1 November 27, 2013 ruby1.8, ruby1.9.1 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 13.04 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Ruby. (CVE-2013-4164) Vit Ondruch discovered that Ruby did not perform taint checking for certain functions. An attacker could possibly use this issue to bypass certain intended restrictions. (CVE-2013-2065) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: libruby1.8 1.8.7.358-7ubuntu2.1 libruby1.9.1 1.9.3.194-8.1ubuntu2.1 ruby1.8 1.8.7.358-7ubuntu2.1 ruby1.9.1 1.9.3.194-8.1ubuntu2.1 Ubuntu 13.04: libruby1.8 1.8.7.358-7ubuntu1.2 libruby1.9.1 1.9.3.194-8.1ubuntu1.2 ruby1.8 1.8.7.358-7ubuntu1.2 ruby1.9.1 1.9.3.194-8.1ubuntu1.2 Ubuntu 12.10: libruby1.8 1.8.7.358-4ubuntu0.4 libruby1.9.1 1.9.3.194-1ubuntu1.6 ruby1.8 1.8.7.358-4ubuntu0.4 ruby1.9.1 1.9.3.194-1ubuntu1.6 Ubuntu 12.04 LTS: libruby1.8 1.8.7.352-2ubuntu1.4 libruby1.9.1 1.9.3.0-1ubuntu2.8 ruby1.8 1.8.7.352-2ubuntu1.4 ruby1.9.1 1.9.3.0-1ubuntu2.8 In general, a standard system update will make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ruby: Denial of Service Date: December 13, 2014 Bugs: #355439, #369141, #396301, #437366, #442580, #458776, #492282, #527084, #529216 ID: 201412-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Ruby, allowing context-dependent attackers to cause a Denial of Service condition. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/ruby < 2.0.0_p598 *>= 1.9.3_p551 >= 2.0.0_p598 Description =========== Multiple vulnerabilities have been discovered in Ruby. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Ruby 1.9 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.9.3_p551" All Ruby 2.0 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.0.0_p598" References ========== [ 1 ] CVE-2011-0188 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0188 [ 2 ] CVE-2011-1004 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1004 [ 3 ] CVE-2011-1005 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1005 [ 4 ] CVE-2011-4815 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4815 [ 5 ] CVE-2012-4481 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4481 [ 6 ] CVE-2012-5371 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5371 [ 7 ] CVE-2013-0269 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0269 [ 8 ] CVE-2013-1821 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1821 [ 9 ] CVE-2013-4164 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4164 [ 10 ] CVE-2014-8080 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8080 [ 11 ] CVE-2014-8090 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8090 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-27.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Trust: 2.52

sources: NVD: CVE-2013-4164 // JVNDB: JVNDB-2013-005257 // BID: 63873 // PACKETSTORM: 124289 // PACKETSTORM: 124704 // PACKETSTORM: 124290 // PACKETSTORM: 124191 // PACKETSTORM: 124207 // PACKETSTORM: 129551 // PACKETSTORM: 124176

AFFECTED PRODUCTS

vendor:ruby langmodel:rubyscope:eqversion:1.8

Trust: 2.4

vendor:ruby langmodel:rubyscope:eqversion:1.9

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:2.0.0

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:1.9.2

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:1.9.1

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:2.1

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:1.9.3

Trust: 1.6

vendor:ruby langmodel:rubyscope:ltversion:2.0

Trust: 0.8

vendor:ruby langmodel:rubyscope:eqversion:1.9.3-p484

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.8.5

Trust: 0.8

vendor:applemodel:macos serverscope:eqversion:3.2.1

Trust: 0.8

vendor:applemodel:macos serverscope:ltversion:(os x mavericks v10.9.5 or later )

Trust: 0.8

vendor:ruby langmodel:rubyscope:eqversion:2.1.0 preview2

Trust: 0.8

vendor:applemodel:macos serverscope:ltversion:(os x yosemite v10.10 or later )

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.7.5

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.9.2

Trust: 0.8

vendor:ruby langmodel:rubyscope:ltversion:2.1

Trust: 0.8

vendor:ruby langmodel:rubyscope:ltversion:1.9

Trust: 0.8

vendor:applemodel:macos serverscope:eqversion:4.0

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.7.5

Trust: 0.8

vendor:ruby langmodel:rubyscope:eqversion:2.0.0-p353

Trust: 0.8

vendor:yukihiromodel:matsumoto ruby devscope:eqversion:1.9.3

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby rc2scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p180scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p136scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p0scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -rc1scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p431scope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p429scope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p376scope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9-2

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9-1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p72scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p71scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p22scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p21scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p287scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p286scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p230scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p229scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p114scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p231scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p230scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p2scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p115scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.4

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.3

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre4scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre3scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre2scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre1scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.1.0-preview1scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.0.0-p247scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.0.0-p195scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:2.0

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p448scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p426scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p392scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p327scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p0scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre3scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.1-p430scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.1-p378scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9.0-3

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.8devscope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p374scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p357scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p352scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p334scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p330scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p302scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p299scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p249scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p248scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p173scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p160scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p420scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p399scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p388scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p383scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p369scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p368scope: - version: -

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:13.10

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:13.04

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:12.10

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:12.04

Trust: 0.3

vendor:susemodel:linux enterprise software development kit sp3scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp3 for vmwarescope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp3scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp2 for vmwarescope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise desktop sp3scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise desktop sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:studio onsitescope:eqversion:1.3

Trust: 0.3

vendor:susemodel:linux enterprise software development kit sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:lifecycle management serverscope:eqversion:1.3

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:14.1

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:14.0

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:13.37

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:13.1

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:13.1

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:12.3

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:12.2

Trust: 0.3

vendor:redhatmodel:software collections for rhelscope:eqversion:0

Trust: 0.3

vendor:redhatmodel:openstackscope:eqversion:3.0

Trust: 0.3

vendor:redhatmodel:enterprise linux workstationscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux server eus 6.4.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux server eus 6.3.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux server eus 6.2.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux server ausscope:eqversion:6.4

Trust: 0.3

vendor:redhatmodel:enterprise linux server ausscope:eqversion:6.2

Trust: 0.3

vendor:redhatmodel:enterprise linux serverscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux hpc nodescope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux high availability eus 6.4.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux desktopscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:cloudformsscope:eqversion:3.0

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:3.1

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:2.8.3

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:2.8.2

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:2.8.0

Trust: 0.3

vendor:oraclemodel:solarisscope:eqversion:11.2

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:6.2

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:6

Trust: 0.3

vendor:mandrivamodel:business serverscope:eqversion:1x8664

Trust: 0.3

vendor:mandrivamodel:business serverscope:eqversion:1

Trust: 0.3

vendor:mandrakesoftmodel:enterprise server x86 64scope:eqversion:5

Trust: 0.3

vendor:mandrakesoftmodel:enterprise serverscope:eqversion:5

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:51005.1.1

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:51005.1

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:5.1.2

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

vendor:applemodel:os mavericksscope:eqversion:x10.9.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x3.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x2.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.1.0-preview2scope:neversion: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.0.0-p353scope:neversion: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p484scope:neversion: -

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:neversion:3.1.1

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:neversion:2.8.4

Trust: 0.3

vendor:applemodel:os mavericksscope:neversion:x10.9.3

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x3.1.2

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x4.0

Trust: 0.3

sources: BID: 63873 // CNNVD: CNNVD-201311-353 // JVNDB: JVNDB-2013-005257 // NVD: CVE-2013-4164

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-4164
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-4164
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201311-353
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2013-4164
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: CNNVD: CNNVD-201311-353 // JVNDB: JVNDB-2013-005257 // NVD: CVE-2013-4164

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2013-005257 // NVD: CVE-2013-4164

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201311-353

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201311-353

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-005257

PATCH
title:HT6207url:http://support.apple.com/kb/HT6207
Trust: 0.8
title:HT6248url:http://support.apple.com/kb/HT6248
Trust: 0.8
title:HT6536url:http://support.apple.com/kb/HT6536
Trust: 0.8
title:HT6207url:http://support.apple.com/kb/HT6207?viewlocale=ja_JP
Trust: 0.8
title:HT6248url:http://support.apple.com/kb/HT6248?viewlocale=ja_JP
Trust: 0.8
title:HT6536url:http://support.apple.com/kb/HT6536?viewlocale=ja_JP
Trust: 0.8
title:DSA-2810url:http://www.debian.org/security/2013/dsa-2810
Trust: 0.8
title:openSUSE-SU-2013:1834url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00027.html
Trust: 0.8
title:openSUSE-SU-2013:1835url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00028.html
Trust: 0.8
title:Multiple vulnerabilities in Rubyurl:https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_ruby1
Trust: 0.8
title:Bug 1033460url:https://bugzilla.redhat.com/show_bug.cgi?id=1033460
Trust: 0.8
title:RHSA-2014:0215url:https://rhn.redhat.com/errata/RHSA-2014-0215.html
Trust: 0.8
title:RHSA-2013:1763url:http://rhn.redhat.com/errata/RHSA-2013-1763.html
Trust: 0.8
title:RHSA-2013:1764url:http://rhn.redhat.com/errata/RHSA-2013-1764.html
Trust: 0.8
title:RHSA-2013:1767url:http://rhn.redhat.com/errata/RHSA-2013-1767.html
Trust: 0.8
title:RHSA-2014:0011url:https://rhn.redhat.com/errata/RHSA-2014-0011.html
Trust: 0.8
title:Ruby 2.0.0-p353 is releasedurl:https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released
Trust: 0.8
title:Ruby 1.9.3-p484 is releasedurl:https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released
Trust: 0.8
title:Heap Overflow in Floating Point Parsing (CVE-2013-4164)url:https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164
Trust: 0.8
title:CVE-2013-4164 Buffer Errors vulnerability in Rubyurl:https://blogs.oracle.com/sunsecurity/entry/cve_2013_4164_buffer_errors
Trust: 0.8
title:ruby-2.0.0-p353url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49037
Trust: 0.6
title:ruby-2.1.0-preview2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49041
Trust: 0.6
title:ruby-1.9.3-p484url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49036
Trust: 0.6
title:ruby-2.1.0-preview2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49040
Trust: 0.6
title:ruby-1.9.3-p484url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49034
Trust: 0.6
title:ruby-2.0.0-p353url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49039
Trust: 0.6
title:ruby-1.9.3-p484url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49032
Trust: 0.6
title:ruby-2.0.0-p353url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49038
Trust: 0.6
title:ruby-2.1.0-preview2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49042
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201311-353 // 
            
            
            
            JVNDB: JVNDB-2013-005257

EXTERNAL IDS
db:NVDid:CVE-2013-4164
Trust: 3.4
db:OSVDBid:100113
Trust: 1.6
db:SECUNIAid:55787
Trust: 1.6
db:BIDid:63873
Trust: 1.3
db:SECUNIAid:57376
Trust: 1.0
db:JVNid:JVNVU95860341
Trust: 0.8
db:JVNid:JVNVU97537282
Trust: 0.8
db:JVNDBid:JVNDB-2013-005257
Trust: 0.8
db:CNNVDid:CNNVD-201311-353
Trust: 0.6
db:PACKETSTORMid:124289
Trust: 0.1
db:PACKETSTORMid:124704
Trust: 0.1
db:PACKETSTORMid:124290
Trust: 0.1
db:PACKETSTORMid:124191
Trust: 0.1
db:PACKETSTORMid:124207
Trust: 0.1
db:PACKETSTORMid:129551
Trust: 0.1
db:PACKETSTORMid:124176
Trust: 0.1
sources:
            
            
            BID: 63873 // 
            
            
            
            PACKETSTORM: 124289 // 
            
            
            
            PACKETSTORM: 124704 // 
            
            
            
            PACKETSTORM: 124290 // 
            
            
            
            PACKETSTORM: 124191 // 
            
            
            
            PACKETSTORM: 124207 // 
            
            
            
            PACKETSTORM: 129551 // 
            
            
            
            PACKETSTORM: 124176 // 
            
            
            
            CNNVD: CNNVD-201311-353 // 
            
            
            
            JVNDB: JVNDB-2013-005257 // 
            
            
            
            NVD: CVE-2013-4164

REFERENCES
url:http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html
Trust: 1.8
url:http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
Trust: 1.8
url:https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released
Trust: 1.6
url:https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released
Trust: 1.6
url:https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164
Trust: 1.6
url:http://secunia.com/advisories/55787
Trust: 1.6
url:http://osvdb.org/100113
Trust: 1.6
url:http://rhn.redhat.com/errata/rhsa-2013-1767.html
Trust: 1.4
url:http://rhn.redhat.com/errata/rhsa-2014-0011.html
Trust: 1.4
url:http://rhn.redhat.com/errata/rhsa-2013-1764.html
Trust: 1.4
url:https://support.apple.com/kb/ht6536
Trust: 1.3
url:http://rhn.redhat.com/errata/rhsa-2013-1763.html
Trust: 1.3
url:http://rhn.redhat.com/errata/rhsa-2014-0215.html
Trust: 1.3
url:http://www.ubuntu.com/usn/usn-2035-1
Trust: 1.1
url:http://secunia.com/advisories/57376
Trust: 1.0
url:http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00009.html
Trust: 1.0
url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00028.html
Trust: 1.0
url:http://www.debian.org/security/2013/dsa-2809
Trust: 1.0
url:https://puppet.com/security/cve/cve-2013-4164
Trust: 1.0
url:http://www.debian.org/security/2013/dsa-2810
Trust: 1.0
url:http://www.securityfocus.com/bid/63873
Trust: 1.0
url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00027.html
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4164
Trust: 0.8
url:http://jvn.jp/vu/jvnvu95860341/index.html
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97537282/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4164
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2013-4164
Trust: 0.7
url:http://seclists.org/bugtraq/2014/apr/133
Trust: 0.3
url:http://puppetlabs.com/security/cve/cve-2013-4164
Trust: 0.3
url:http://www.ruby-lang.org
Trust: 0.3
url:http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2013&m=slackware-security.484609
Trust: 0.3
url:https://blogs.oracle.com/sunsecurity/entry/cve_2013_4164_buffer_errors
Trust: 0.3
url:https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
Trust: 0.3
url:http://www-01.ibm.com/support/docview.wss?uid=swg21665279
Trust: 0.3
url:https://www.redhat.com/mailman/listinfo/rhsa-announce
Trust: 0.3
url:https://access.redhat.com/security/team/key/#package
Trust: 0.3
url:https://access.redhat.com/site/articles/11258
Trust: 0.3
url:https://bugzilla.redhat.com/):
Trust: 0.3
url:https://access.redhat.com/security/updates/classification/#critical
Trust: 0.3
url:https://www.redhat.com/security/data/cve/cve-2013-4164.html
Trust: 0.3
url:https://access.redhat.com/security/team/contact/
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2013-1821
Trust: 0.2
url:http://www.debian.org/security/faq
Trust: 0.2
url:http://www.debian.org/security/
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2013-4073
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-1ubuntu1.6
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.352-2ubuntu1.4
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-2065
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.358-7ubuntu1.2
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.0-1ubuntu2.8
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.358-4ubuntu0.4
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-8.1ubuntu2.1
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-8.1ubuntu1.2
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.358-7ubuntu2.1
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-4815
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2011-0188
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2011-1005
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-5371
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-1005
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0269
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-1821
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-8080
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-8080
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-0188
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-0269
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2012-5371
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2011-1004
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-8090
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-1004
Trust: 0.1
url:http://creativecommons.org/licenses/by-sa/2.5
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-4164
Trust: 0.1
url:http://security.gentoo.org/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2012-4481
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2011-4815
Trust: 0.1
url:http://security.gentoo.org/glsa/glsa-201412-27.xml
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-8090
Trust: 0.1
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-4481
Trust: 0.1
url:https://bugs.gentoo.org.
Trust: 0.1
sources:
            
            
            BID: 63873 // 
            
            
            
            PACKETSTORM: 124289 // 
            
            
            
            PACKETSTORM: 124704 // 
            
            
            
            PACKETSTORM: 124290 // 
            
            
            
            PACKETSTORM: 124191 // 
            
            
            
            PACKETSTORM: 124207 // 
            
            
            
            PACKETSTORM: 129551 // 
            
            
            
            PACKETSTORM: 124176 // 
            
            
            
            CNNVD: CNNVD-201311-353 // 
            
            
            
            JVNDB: JVNDB-2013-005257 // 
            
            
            
            NVD: CVE-2013-4164

CREDITS
Charlie Somerville
Trust: 0.3
sources:
            
            
            BID: 63873

SOURCES
db:BIDid:63873
db:PACKETSTORMid:124289
db:PACKETSTORMid:124704
db:PACKETSTORMid:124290
db:PACKETSTORMid:124191
db:PACKETSTORMid:124207
db:PACKETSTORMid:129551
db:PACKETSTORMid:124176
db:CNNVDid:CNNVD-201311-353
db:JVNDBid:JVNDB-2013-005257
db:NVDid:CVE-2013-4164

LAST UPDATE DATE
2026-03-30T21:25:58.327000+00:00

SOURCES UPDATE DATE
db:BIDid:63873date:2015-04-13T21:19:00
db:CNNVDid:CNNVD-201311-353date:2013-11-29T00:00:00
db:JVNDBid:JVNDB-2013-005257date:2015-08-10T00:00:00
db:NVDid:CVE-2013-4164date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:BIDid:63873date:2013-11-22T00:00:00
db:PACKETSTORMid:124289date:2013-12-05T04:52:34
db:PACKETSTORMid:124704date:2014-01-08T00:11:54
db:PACKETSTORMid:124290date:2013-12-05T04:52:45
db:PACKETSTORMid:124191date:2013-11-27T16:32:20
db:PACKETSTORMid:124207date:2013-11-27T23:33:00
db:PACKETSTORMid:129551date:2014-12-15T19:58:46
db:PACKETSTORMid:124176date:2013-11-26T01:47:59
db:CNNVDid:CNNVD-201311-353date:2013-11-29T00:00:00
db:JVNDBid:JVNDB-2013-005257date:2013-11-27T00:00:00
db:NVDid:CVE-2013-4164date:2013-11-23T19:55:03.517