Sign-up

ID

VAR-201311-0106


CVE

CVE-2013-4164


TITLE

Ruby Heap-based buffer overflow vulnerability

Trust: 1.4

sources: CNNVD: CNNVD-201311-353 // JVNDB: JVNDB-2013-005257

DESCRIPTION

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse. Ruby is prone to a heap-based buffer overflow vulnerability because it fails to adequate boundary checks on user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application using the affected function. Failed exploit attempts will likely crash the application. Following versions are vulnerable: Ruby 1.8 Ruby 1.9 prior to 1.9.3-p484 Ruby 2.0 prior to 2.0.0-p353 Ruby 2.1 prior to 2.1.0 preview2. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1821 Ben Murphy discovered that unrestricted entity expansion in REXML can lead to a Denial of Service by consuming all host memory. CVE-2013-4073 William (B.J.) Snow Orvis discovered a vulnerability in the hostname checking in Ruby's SSL client that could allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate issued by a trusted certification authority. For the oldstable distribution (squeeze), these problems have been fixed in version 1.8.7.302-2squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 1.8.7.358-7.1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.8.7.358-9. We recommend that you upgrade your ruby1.8 packages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: ruby security update Advisory ID: RHSA-2013:1767-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1767.html Issue date: 2013-11-26 CVE Names: CVE-2013-4164 ===================================================================== 1. Summary: Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6.2, 6.3, and 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Compute Node EUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Compute Node EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.2) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.2) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. A buffer overflow flaw was found in the way Ruby parsed floating point numbers from their text representation. (CVE-2013-4164) All ruby users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1033460 - CVE-2013-4164 ruby: heap overflow in floating point parsing 6. Package List: Red Hat Enterprise Linux Compute Node EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm x86_64: ruby-1.8.7.352-13.el6_2.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-irb-1.8.7.352-13.el6_2.x86_64.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Compute Node EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm x86_64: ruby-1.8.7.352-13.el6_3.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.x86_64.rpm ruby-irb-1.8.7.352-13.el6_3.x86_64.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm x86_64: ruby-1.8.7.352-13.el6_4.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.x86_64.rpm ruby-irb-1.8.7.352-13.el6_4.x86_64.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-docs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm ruby-ri-1.8.7.352-13.el6_2.x86_64.rpm ruby-static-1.8.7.352-13.el6_2.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) : Source: ruby-1.8.7.352-13.el6_3.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-docs-1.8.7.352-13.el6_3.x86_64.rpm ruby-ri-1.8.7.352-13.el6_3.x86_64.rpm ruby-static-1.8.7.352-13.el6_3.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-docs-1.8.7.352-13.el6_4.x86_64.rpm ruby-ri-1.8.7.352-13.el6_4.x86_64.rpm ruby-static-1.8.7.352-13.el6_4.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm i386: ruby-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-irb-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-rdoc-1.8.7.352-13.el6_2.i686.rpm ppc64: ruby-1.8.7.352-13.el6_2.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc64.rpm ruby-devel-1.8.7.352-13.el6_2.ppc.rpm ruby-devel-1.8.7.352-13.el6_2.ppc64.rpm ruby-irb-1.8.7.352-13.el6_2.ppc64.rpm ruby-libs-1.8.7.352-13.el6_2.ppc.rpm ruby-libs-1.8.7.352-13.el6_2.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_2.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_2.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390x.rpm ruby-devel-1.8.7.352-13.el6_2.s390.rpm ruby-devel-1.8.7.352-13.el6_2.s390x.rpm ruby-irb-1.8.7.352-13.el6_2.s390x.rpm ruby-libs-1.8.7.352-13.el6_2.s390.rpm ruby-libs-1.8.7.352-13.el6_2.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_2.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_2.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-irb-1.8.7.352-13.el6_2.x86_64.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm i386: ruby-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-irb-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-rdoc-1.8.7.352-13.el6_3.i686.rpm ppc64: ruby-1.8.7.352-13.el6_3.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_3.ppc64.rpm ruby-devel-1.8.7.352-13.el6_3.ppc.rpm ruby-devel-1.8.7.352-13.el6_3.ppc64.rpm ruby-irb-1.8.7.352-13.el6_3.ppc64.rpm ruby-libs-1.8.7.352-13.el6_3.ppc.rpm ruby-libs-1.8.7.352-13.el6_3.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_3.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_3.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_3.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_3.s390x.rpm ruby-devel-1.8.7.352-13.el6_3.s390.rpm ruby-devel-1.8.7.352-13.el6_3.s390x.rpm ruby-irb-1.8.7.352-13.el6_3.s390x.rpm ruby-libs-1.8.7.352-13.el6_3.s390.rpm ruby-libs-1.8.7.352-13.el6_3.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_3.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_3.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.x86_64.rpm ruby-irb-1.8.7.352-13.el6_3.x86_64.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm i386: ruby-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-irb-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-rdoc-1.8.7.352-13.el6_4.i686.rpm ppc64: ruby-1.8.7.352-13.el6_4.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_4.ppc64.rpm ruby-devel-1.8.7.352-13.el6_4.ppc.rpm ruby-devel-1.8.7.352-13.el6_4.ppc64.rpm ruby-irb-1.8.7.352-13.el6_4.ppc64.rpm ruby-libs-1.8.7.352-13.el6_4.ppc.rpm ruby-libs-1.8.7.352-13.el6_4.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_4.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_4.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_4.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_4.s390x.rpm ruby-devel-1.8.7.352-13.el6_4.s390.rpm ruby-devel-1.8.7.352-13.el6_4.s390x.rpm ruby-irb-1.8.7.352-13.el6_4.s390x.rpm ruby-libs-1.8.7.352-13.el6_4.s390.rpm ruby-libs-1.8.7.352-13.el6_4.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_4.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_4.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.x86_64.rpm ruby-irb-1.8.7.352-13.el6_4.x86_64.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-docs-1.8.7.352-13.el6_2.i686.rpm ruby-rdoc-1.8.7.352-13.el6_2.i686.rpm ruby-ri-1.8.7.352-13.el6_2.i686.rpm ruby-static-1.8.7.352-13.el6_2.i686.rpm ruby-tcltk-1.8.7.352-13.el6_2.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_2.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc64.rpm ruby-devel-1.8.7.352-13.el6_2.ppc.rpm ruby-devel-1.8.7.352-13.el6_2.ppc64.rpm ruby-docs-1.8.7.352-13.el6_2.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_2.ppc64.rpm ruby-ri-1.8.7.352-13.el6_2.ppc64.rpm ruby-static-1.8.7.352-13.el6_2.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_2.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_2.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390x.rpm ruby-devel-1.8.7.352-13.el6_2.s390.rpm ruby-devel-1.8.7.352-13.el6_2.s390x.rpm ruby-docs-1.8.7.352-13.el6_2.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_2.s390x.rpm ruby-ri-1.8.7.352-13.el6_2.s390x.rpm ruby-static-1.8.7.352-13.el6_2.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_2.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-docs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm ruby-ri-1.8.7.352-13.el6_2.x86_64.rpm ruby-static-1.8.7.352-13.el6_2.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-docs-1.8.7.352-13.el6_3.i686.rpm ruby-ri-1.8.7.352-13.el6_3.i686.rpm ruby-static-1.8.7.352-13.el6_3.i686.rpm ruby-tcltk-1.8.7.352-13.el6_3.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_3.ppc64.rpm ruby-docs-1.8.7.352-13.el6_3.ppc64.rpm ruby-ri-1.8.7.352-13.el6_3.ppc64.rpm ruby-static-1.8.7.352-13.el6_3.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_3.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_3.s390x.rpm ruby-docs-1.8.7.352-13.el6_3.s390x.rpm ruby-ri-1.8.7.352-13.el6_3.s390x.rpm ruby-static-1.8.7.352-13.el6_3.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_3.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-docs-1.8.7.352-13.el6_3.x86_64.rpm ruby-ri-1.8.7.352-13.el6_3.x86_64.rpm ruby-static-1.8.7.352-13.el6_3.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-docs-1.8.7.352-13.el6_4.i686.rpm ruby-ri-1.8.7.352-13.el6_4.i686.rpm ruby-static-1.8.7.352-13.el6_4.i686.rpm ruby-tcltk-1.8.7.352-13.el6_4.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_4.ppc64.rpm ruby-docs-1.8.7.352-13.el6_4.ppc64.rpm ruby-ri-1.8.7.352-13.el6_4.ppc64.rpm ruby-static-1.8.7.352-13.el6_4.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_4.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_4.s390x.rpm ruby-docs-1.8.7.352-13.el6_4.s390x.rpm ruby-ri-1.8.7.352-13.el6_4.s390x.rpm ruby-static-1.8.7.352-13.el6_4.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_4.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-docs-1.8.7.352-13.el6_4.x86_64.rpm ruby-ri-1.8.7.352-13.el6_4.x86_64.rpm ruby-static-1.8.7.352-13.el6_4.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4164.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSlPJkXlSAg2UNWIIRAmGVAJ0ftFXiZwwEQYrgDr4bmR7n7pvbtQCbB8VQ Q2wQW0K2XmUcezCSz0pyQ2M= =Cisx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-04-22-1 Security Update 2014-002 Security Update 2014-002 is now available and addresses the following: CFNetwork HTTPProtocol Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: An attacker in a privileged network position can obtain web site credentials Description: Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines. CVE-ID CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris CoreServicesUIAgent Available for: OS X Mavericks v10.9.2 Impact: Visiting a maliciously crafted website or URL may result in an unexpected application termination or arbitrary code execution Description: A format string issue existed in the handling of URLs. This issue was addressed through additional validation of URLs. This issue does not affect systems prior to OS X Mavericks. CVE-ID CVE-2014-1315 : Lukasz Pilorz of runic.pl, Erik Kooistra FontParser Available for: OS X Mountain Lion v10.8.5 Impact: Opening a maliciously crafted PDF file may result in an unexpected application termination or arbitrary code execution Description: A buffer underflow existed in the handling of fonts in PDF files. This issue was addressed through additional bounds checking. This issue does not affect OS X Mavericks systems. CVE-ID CVE-2013-5170 : Will Dormann of CERT/CC Heimdal Kerberos Available for: OS X Mavericks v10.9.2 Impact: A remote attacker may be able to cause a denial of service Description: A reachable abort existed in the handling of ASN.1 data. This issue was addressed through additional validation of ASN.1 data. CVE-ID CVE-2014-1316 : Joonas Kuorilehto of Codenomicon ImageIO Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue existed in ImageIO's handling of JPEG images. This issue was addressed through improved bounds checking. This issue does not affect systems prior to OS X Mavericks. CVE-ID CVE-2014-1319 : Cristian Draghici of Modulo Consulting, Karl Smith of NCC Group Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: A malicious application can take control of the system Description: A validation issue existed in the handling of a pointer from userspace. This issue was addressed through additional validation of pointers. CVE-ID CVE-2014-1318 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative IOKit Kernel Available for: OS X Mavericks v10.9.2 Impact: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization Description: A set of kernel pointers stored in an IOKit object could be retrieved from userland. This issue was addressed through removing the pointers from the object. CVE-ID CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative Kernel Available for: OS X Mavericks v10.9.2 Impact: A local user can read a kernel pointer, which can be used to bypass kernel address space layout randomization Description: A kernel pointer stored in a XNU object could be retrieved from userland. This issue was addressed through removing the pointer from the object. CVE-ID CVE-2014-1322 : Ian Beer of Google Project Zero Power Management Available for: OS X Mavericks v10.9.2 Impact: The screen might not lock Description: If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep. This issue does not affect systems prior to OS X Mavericks. CVE-ID CVE-2014-1321 : Paul Kleeberg of Stratis Health Bloomington MN, Julian Sincu at the Baden-Wuerttemberg Cooperative State University (DHBW Stuttgart), Gerben Wierda of R&A, Daniel Luz Ruby Available for: OS X Mavericks v10.9.2 Impact: Running a Ruby script that handles untrusted YAML tags may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in LibYAML's handling of YAML tags. This issue was addressed through additional validation of YAML tags. This issue does not affect systems prior to OS X Mavericks. CVE-ID CVE-2013-6393 Ruby Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: Running a Ruby script that uses untrusted input to create a Float object may lead to an unexpected application termination or arbitrary code execution Description: A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value. This issue was addressed through additional validation of floating point values. CVE-ID CVE-2013-4164 Security - Secure Transport Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL Description: In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other. To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection. This issue does not affect Mac OS X 10.7 systems and earlier. CVE-ID CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and Alfredo Pironti of Prosecco at Inria Paris WindowServer Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: Maliciously crafted applications can execute arbitrary code outside the sandbox Description: WindowServer sessions could be created by sandboxed applications. This issue was addressed by disallowing sandboxed applications from creating WindowServer sessions. CVE-ID CVE-2014-1314 : KeenTeam working with HP's Zero Day Initiative Note: Security Update 2014-002 for OS X Mavericks systems includes the security content of Safari 7.0.3: http://support.apple.com/kb/HT6181 Security Update 2014-002 may be obtained via the Apple Software Update application, and from the Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTVqgEAAoJEPefwLHPlZEw0L8P/RIqgQPc1/RnmPBCKVnZ0QyI 8V9jV07LyXTPySL3at/sAFac148ZYqu9cSKtRWB1oAQCnC8C20EIDLBvsysmKT/a zqLUP8ZGcd4jC4UYUleVgl4U9SXkp0L/HwpASXeRHGeUd/tN4eCBEgDfKSMdm8/s 4S70gTQPRRsQR3D8RkcOITJVFCaDFy/em3AbEJyAm7yDsDOinJdRrirRe7W1Q/p6 KBOmQYb73m0ykg08jgCjohxhTE9gpNeMeR7smN+7GsRb6XFlUOJGtnlePyLm1hN3 85e0KRnQyhTGXJ7y6MTmKzzwJ6/iVZvEeXK1IFwXEkwLLmp5uhp7wfT3DkZZSnBm +uo5g2aSQ80+7ZR9psUQwXOn8/6cFyKbG5tHxkh8IY6qLacvHP5yBcw3gqlUNPg5 2vCNWqhL8fEqncx7K1QC8CxwLQMVw9QnolukdjOxT66+kI0F/mDGeGdf/mYkGBJF ZECjWZsoekGq4TMu75MPn8BlwFpaLnObPi9pC+56BDhEz7f39bqBvkAaW61cQgj4 lRwlEHWNBFlO9XVkQwdmYrZoaeAAVxGG+iPt225dmXXZtWGMs5nYIzPj8GzRoNWQ gYAGZAOBr6pGJCQmfJIy4tLKj0H9za9pxX9RqavKrZyEtTcxpUmrh91mGZiI4eo0 7hmpILk22+6xv6pWCw8D =WWPv -----END PGP SIGNATURE----- . Relevant releases/architectures: Management Engine - noarch, x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation enterprises need to address the challenges of managing virtual environments, which are far more complex than physical ones. This technology enables enterprises with existing virtual infrastructures to improve visibility and control, and those just starting virtualization deployments to build and operate a well-managed virtual infrastructure. (CVE-2013-4164) It was found that Red Hat CloudForms Management Engine did not properly sanitize user-supplied values in the ServiceController. (CVE-2014-0057) It was found that several number conversion helpers in Action View did not properly escape all their parameters. An attacker could use these flaws to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user as parameters to the affected helpers. (CVE-2014-0081) A memory consumption issue was discovered in the text rendering component of Action View. A remote attacker could use this flaw to perform a denial of service attack by sending specially crafted queries that would result in the creation of Ruby symbols that were never garbage collected. (CVE-2014-0082) Red Hat would like to thank the Ruby on Rails Project for reporting CVE-2014-0081 and CVE-2014-0082. Upstream acknowledges Kevin Reintjes as the original reporter of CVE-2014-0081, and Toby Hsieh of SlideShare as the original reporter of CVE-2014-0082. This update fixes several bugs and adds multiple enhancements. Documentation for these changes will be available shortly from the Red Hat CloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the References section

Trust: 2.43

sources: NVD: CVE-2013-4164 // JVNDB: JVNDB-2013-005257 // BID: 63873 // PACKETSTORM: 124289 // PACKETSTORM: 124704 // PACKETSTORM: 124290 // PACKETSTORM: 124191 // PACKETSTORM: 126269 // PACKETSTORM: 125651

AFFECTED PRODUCTS

vendor:ruby langmodel:rubyscope:eqversion:1.8

Trust: 2.4

vendor:ruby langmodel:rubyscope:eqversion:1.9

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:2.0.0

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:1.9.2

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:1.9.1

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:2.1

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:1.9.3

Trust: 1.6

vendor:ruby langmodel:rubyscope:ltversion:2.0

Trust: 0.8

vendor:ruby langmodel:rubyscope:eqversion:1.9.3-p484

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.8.5

Trust: 0.8

vendor:applemodel:macos serverscope:eqversion:3.2.1

Trust: 0.8

vendor:applemodel:macos serverscope:ltversion:(os x mavericks v10.9.5 or later )

Trust: 0.8

vendor:ruby langmodel:rubyscope:eqversion:2.1.0 preview2

Trust: 0.8

vendor:applemodel:macos serverscope:ltversion:(os x yosemite v10.10 or later )

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.7.5

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.9.2

Trust: 0.8

vendor:ruby langmodel:rubyscope:ltversion:2.1

Trust: 0.8

vendor:ruby langmodel:rubyscope:ltversion:1.9

Trust: 0.8

vendor:applemodel:macos serverscope:eqversion:4.0

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.7.5

Trust: 0.8

vendor:ruby langmodel:rubyscope:eqversion:2.0.0-p353

Trust: 0.8

vendor:yukihiromodel:matsumoto ruby devscope:eqversion:1.9.3

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby rc2scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p180scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p136scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p0scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -rc1scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p431scope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p429scope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p376scope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9-2

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9-1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p72scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p71scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p22scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p21scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p287scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p286scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p230scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p229scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p114scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p231scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p230scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p2scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p115scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.4

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.3

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre4scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre3scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre2scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre1scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.1.0-preview1scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.0.0-p247scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.0.0-p195scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:2.0

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p448scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p426scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p392scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p327scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p0scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre3scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.1-p430scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.1-p378scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9.0-3

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.8devscope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p374scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p357scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p352scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p334scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p330scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p302scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p299scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p249scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p248scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p173scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p160scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p420scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p399scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p388scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p383scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p369scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p368scope: - version: -

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:13.10

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:13.04

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:12.10

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:12.04

Trust: 0.3

vendor:susemodel:linux enterprise software development kit sp3scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp3 for vmwarescope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp3scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp2 for vmwarescope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise desktop sp3scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise desktop sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:studio onsitescope:eqversion:1.3

Trust: 0.3

vendor:susemodel:linux enterprise software development kit sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:lifecycle management serverscope:eqversion:1.3

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:14.1

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:14.0

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:13.37

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:13.1

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:13.1

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:12.3

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:12.2

Trust: 0.3

vendor:redhatmodel:software collections for rhelscope:eqversion:0

Trust: 0.3

vendor:redhatmodel:openstackscope:eqversion:3.0

Trust: 0.3

vendor:redhatmodel:enterprise linux workstationscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux server eus 6.4.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux server eus 6.3.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux server eus 6.2.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux server ausscope:eqversion:6.4

Trust: 0.3

vendor:redhatmodel:enterprise linux server ausscope:eqversion:6.2

Trust: 0.3

vendor:redhatmodel:enterprise linux serverscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux hpc nodescope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux high availability eus 6.4.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux desktopscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:cloudformsscope:eqversion:3.0

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:3.1

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:2.8.3

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:2.8.2

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:2.8.0

Trust: 0.3

vendor:oraclemodel:solarisscope:eqversion:11.2

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:6.2

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:6

Trust: 0.3

vendor:mandrivamodel:business serverscope:eqversion:1x8664

Trust: 0.3

vendor:mandrivamodel:business serverscope:eqversion:1

Trust: 0.3

vendor:mandrakesoftmodel:enterprise server x86 64scope:eqversion:5

Trust: 0.3

vendor:mandrakesoftmodel:enterprise serverscope:eqversion:5

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:51005.1.1

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:51005.1

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:5.1.2

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

vendor:applemodel:os mavericksscope:eqversion:x10.9.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x3.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x2.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.1.0-preview2scope:neversion: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.0.0-p353scope:neversion: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p484scope:neversion: -

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:neversion:3.1.1

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:neversion:2.8.4

Trust: 0.3

vendor:applemodel:os mavericksscope:neversion:x10.9.3

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x3.1.2

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x4.0

Trust: 0.3

sources: BID: 63873 // CNNVD: CNNVD-201311-353 // JVNDB: JVNDB-2013-005257 // NVD: CVE-2013-4164

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-4164
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-4164
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201311-353
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2013-4164
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: CNNVD: CNNVD-201311-353 // JVNDB: JVNDB-2013-005257 // NVD: CVE-2013-4164

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2013-005257 // NVD: CVE-2013-4164

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201311-353

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201311-353

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-005257

PATCH
title:HT6207url:http://support.apple.com/kb/HT6207
Trust: 0.8
title:HT6248url:http://support.apple.com/kb/HT6248
Trust: 0.8
title:HT6536url:http://support.apple.com/kb/HT6536
Trust: 0.8
title:HT6207url:http://support.apple.com/kb/HT6207?viewlocale=ja_JP
Trust: 0.8
title:HT6248url:http://support.apple.com/kb/HT6248?viewlocale=ja_JP
Trust: 0.8
title:HT6536url:http://support.apple.com/kb/HT6536?viewlocale=ja_JP
Trust: 0.8
title:DSA-2810url:http://www.debian.org/security/2013/dsa-2810
Trust: 0.8
title:openSUSE-SU-2013:1834url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00027.html
Trust: 0.8
title:openSUSE-SU-2013:1835url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00028.html
Trust: 0.8
title:Multiple vulnerabilities in Rubyurl:https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_ruby1
Trust: 0.8
title:Bug 1033460url:https://bugzilla.redhat.com/show_bug.cgi?id=1033460
Trust: 0.8
title:RHSA-2014:0215url:https://rhn.redhat.com/errata/RHSA-2014-0215.html
Trust: 0.8
title:RHSA-2013:1763url:http://rhn.redhat.com/errata/RHSA-2013-1763.html
Trust: 0.8
title:RHSA-2013:1764url:http://rhn.redhat.com/errata/RHSA-2013-1764.html
Trust: 0.8
title:RHSA-2013:1767url:http://rhn.redhat.com/errata/RHSA-2013-1767.html
Trust: 0.8
title:RHSA-2014:0011url:https://rhn.redhat.com/errata/RHSA-2014-0011.html
Trust: 0.8
title:Ruby 2.0.0-p353 is releasedurl:https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released
Trust: 0.8
title:Ruby 1.9.3-p484 is releasedurl:https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released
Trust: 0.8
title:Heap Overflow in Floating Point Parsing (CVE-2013-4164)url:https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164
Trust: 0.8
title:CVE-2013-4164 Buffer Errors vulnerability in Rubyurl:https://blogs.oracle.com/sunsecurity/entry/cve_2013_4164_buffer_errors
Trust: 0.8
title:ruby-2.0.0-p353url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49037
Trust: 0.6
title:ruby-2.1.0-preview2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49041
Trust: 0.6
title:ruby-1.9.3-p484url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49036
Trust: 0.6
title:ruby-2.1.0-preview2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49040
Trust: 0.6
title:ruby-1.9.3-p484url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49034
Trust: 0.6
title:ruby-2.0.0-p353url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49039
Trust: 0.6
title:ruby-1.9.3-p484url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49032
Trust: 0.6
title:ruby-2.0.0-p353url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49038
Trust: 0.6
title:ruby-2.1.0-preview2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49042
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201311-353 // 
            
            
            
            JVNDB: JVNDB-2013-005257

EXTERNAL IDS
db:NVDid:CVE-2013-4164
Trust: 3.3
db:OSVDBid:100113
Trust: 1.6
db:SECUNIAid:55787
Trust: 1.6
db:BIDid:63873
Trust: 1.3
db:SECUNIAid:57376
Trust: 1.0
db:JVNid:JVNVU95860341
Trust: 0.8
db:JVNid:JVNVU97537282
Trust: 0.8
db:JVNDBid:JVNDB-2013-005257
Trust: 0.8
db:CNNVDid:CNNVD-201311-353
Trust: 0.6
db:PACKETSTORMid:124289
Trust: 0.1
db:PACKETSTORMid:124704
Trust: 0.1
db:PACKETSTORMid:124290
Trust: 0.1
db:PACKETSTORMid:124191
Trust: 0.1
db:PACKETSTORMid:126269
Trust: 0.1
db:PACKETSTORMid:125651
Trust: 0.1
sources:
            
            
            BID: 63873 // 
            
            
            
            PACKETSTORM: 124289 // 
            
            
            
            PACKETSTORM: 124704 // 
            
            
            
            PACKETSTORM: 124290 // 
            
            
            
            PACKETSTORM: 124191 // 
            
            
            
            PACKETSTORM: 126269 // 
            
            
            
            PACKETSTORM: 125651 // 
            
            
            
            CNNVD: CNNVD-201311-353 // 
            
            
            
            JVNDB: JVNDB-2013-005257 // 
            
            
            
            NVD: CVE-2013-4164

REFERENCES
url:http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html
Trust: 1.8
url:http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
Trust: 1.8
url:https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released
Trust: 1.6
url:https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released
Trust: 1.6
url:https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164
Trust: 1.6
url:http://secunia.com/advisories/55787
Trust: 1.6
url:http://osvdb.org/100113
Trust: 1.6
url:http://rhn.redhat.com/errata/rhsa-2013-1767.html
Trust: 1.4
url:http://rhn.redhat.com/errata/rhsa-2014-0011.html
Trust: 1.4
url:http://rhn.redhat.com/errata/rhsa-2014-0215.html
Trust: 1.4
url:https://support.apple.com/kb/ht6536
Trust: 1.3
url:http://rhn.redhat.com/errata/rhsa-2013-1763.html
Trust: 1.3
url:http://rhn.redhat.com/errata/rhsa-2013-1764.html
Trust: 1.3
url:http://secunia.com/advisories/57376
Trust: 1.0
url:http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00009.html
Trust: 1.0
url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00028.html
Trust: 1.0
url:http://www.debian.org/security/2013/dsa-2809
Trust: 1.0
url:http://www.ubuntu.com/usn/usn-2035-1
Trust: 1.0
url:https://puppet.com/security/cve/cve-2013-4164
Trust: 1.0
url:http://www.debian.org/security/2013/dsa-2810
Trust: 1.0
url:http://www.securityfocus.com/bid/63873
Trust: 1.0
url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00027.html
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4164
Trust: 0.8
url:http://jvn.jp/vu/jvnvu95860341/index.html
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97537282/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4164
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2013-4164
Trust: 0.6
url:http://seclists.org/bugtraq/2014/apr/133
Trust: 0.3
url:http://puppetlabs.com/security/cve/cve-2013-4164
Trust: 0.3
url:http://www.ruby-lang.org
Trust: 0.3
url:http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2013&m=slackware-security.484609
Trust: 0.3
url:https://blogs.oracle.com/sunsecurity/entry/cve_2013_4164_buffer_errors
Trust: 0.3
url:https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
Trust: 0.3
url:http://www-01.ibm.com/support/docview.wss?uid=swg21665279
Trust: 0.3
url:https://www.redhat.com/mailman/listinfo/rhsa-announce
Trust: 0.3
url:https://access.redhat.com/security/team/key/#package
Trust: 0.3
url:https://access.redhat.com/site/articles/11258
Trust: 0.3
url:https://bugzilla.redhat.com/):
Trust: 0.3
url:https://access.redhat.com/security/updates/classification/#critical
Trust: 0.3
url:https://www.redhat.com/security/data/cve/cve-2013-4164.html
Trust: 0.3
url:https://access.redhat.com/security/team/contact/
Trust: 0.3
url:http://www.debian.org/security/faq
Trust: 0.2
url:http://www.debian.org/security/
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2013-1821
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-4073
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-5170
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-1315
Trust: 0.1
url:http://www.apple.com/support/downloads/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-6393
Trust: 0.1
url:http://support.apple.com/kb/ht6181
Trust: 0.1
url:https://www.apple.com/support/security/pgp/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-1295
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-1314
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-1316
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-1319
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-1320
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-1322
Trust: 0.1
url:http://support.apple.com/kb/ht1222
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-1296
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-1318
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-1321
Trust: 0.1
url:http://gpgtools.org
Trust: 0.1
url:https://access.redhat.com/site/documentation/en-us/cloudforms/3.0/html/management_engine_5.2_technical_notes/index.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0082
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-0081.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0057
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0081
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-0057.html
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-0082.html
Trust: 0.1
sources:
            
            
            BID: 63873 // 
            
            
            
            PACKETSTORM: 124289 // 
            
            
            
            PACKETSTORM: 124704 // 
            
            
            
            PACKETSTORM: 124290 // 
            
            
            
            PACKETSTORM: 124191 // 
            
            
            
            PACKETSTORM: 126269 // 
            
            
            
            PACKETSTORM: 125651 // 
            
            
            
            CNNVD: CNNVD-201311-353 // 
            
            
            
            JVNDB: JVNDB-2013-005257 // 
            
            
            
            NVD: CVE-2013-4164

CREDITS
Charlie Somerville
Trust: 0.3
sources:
            
            
            BID: 63873

SOURCES
db:BIDid:63873
db:PACKETSTORMid:124289
db:PACKETSTORMid:124704
db:PACKETSTORMid:124290
db:PACKETSTORMid:124191
db:PACKETSTORMid:126269
db:PACKETSTORMid:125651
db:CNNVDid:CNNVD-201311-353
db:JVNDBid:JVNDB-2013-005257
db:NVDid:CVE-2013-4164

LAST UPDATE DATE
2025-10-18T22:08:03.838000+00:00

SOURCES UPDATE DATE
db:BIDid:63873date:2015-04-13T21:19:00
db:CNNVDid:CNNVD-201311-353date:2013-11-29T00:00:00
db:JVNDBid:JVNDB-2013-005257date:2015-08-10T00:00:00
db:NVDid:CVE-2013-4164date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:BIDid:63873date:2013-11-22T00:00:00
db:PACKETSTORMid:124289date:2013-12-05T04:52:34
db:PACKETSTORMid:124704date:2014-01-08T00:11:54
db:PACKETSTORMid:124290date:2013-12-05T04:52:45
db:PACKETSTORMid:124191date:2013-11-27T16:32:20
db:PACKETSTORMid:126269date:2014-04-23T00:00:30
db:PACKETSTORMid:125651date:2014-03-11T21:31:51
db:CNNVDid:CNNVD-201311-353date:2013-11-29T00:00:00
db:JVNDBid:JVNDB-2013-005257date:2013-11-27T00:00:00
db:NVDid:CVE-2013-4164date:2013-11-23T19:55:03.517