Sign-up

ID

VAR-201311-0106


CVE

CVE-2013-4164


TITLE

Ruby Heap-based buffer overflow vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2013-005257 // CNNVD: CNNVD-201311-353

DESCRIPTION

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse. Ruby is prone to a heap-based buffer overflow vulnerability because it fails to adequate boundary checks on user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application using the affected function. Failed exploit attempts will likely crash the application. Following versions are vulnerable: Ruby 1.8 Ruby 1.9 prior to 1.9.3-p484 Ruby 2.0 prior to 2.0.0-p353 Ruby 2.1 prior to 2.1.0 preview2. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1821 Ben Murphy discovered that unrestricted entity expansion in REXML can lead to a Denial of Service by consuming all host memory. CVE-2013-4073 William (B.J.) Snow Orvis discovered a vulnerability in the hostname checking in Ruby's SSL client that could allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate issued by a trusted certification authority. For the oldstable distribution (squeeze), these problems have been fixed in version 1.8.7.302-2squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 1.8.7.358-7.1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.8.7.358-9. We recommend that you upgrade your ruby1.8 packages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: ruby security update Advisory ID: RHSA-2013:1767-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1767.html Issue date: 2013-11-26 CVE Names: CVE-2013-4164 ===================================================================== 1. Summary: Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6.2, 6.3, and 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Compute Node EUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Compute Node EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.2) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.2) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. A buffer overflow flaw was found in the way Ruby parsed floating point numbers from their text representation. (CVE-2013-4164) All ruby users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1033460 - CVE-2013-4164 ruby: heap overflow in floating point parsing 6. Package List: Red Hat Enterprise Linux Compute Node EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm x86_64: ruby-1.8.7.352-13.el6_2.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-irb-1.8.7.352-13.el6_2.x86_64.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Compute Node EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm x86_64: ruby-1.8.7.352-13.el6_3.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.x86_64.rpm ruby-irb-1.8.7.352-13.el6_3.x86_64.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm x86_64: ruby-1.8.7.352-13.el6_4.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.x86_64.rpm ruby-irb-1.8.7.352-13.el6_4.x86_64.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-docs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm ruby-ri-1.8.7.352-13.el6_2.x86_64.rpm ruby-static-1.8.7.352-13.el6_2.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) : Source: ruby-1.8.7.352-13.el6_3.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-docs-1.8.7.352-13.el6_3.x86_64.rpm ruby-ri-1.8.7.352-13.el6_3.x86_64.rpm ruby-static-1.8.7.352-13.el6_3.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-docs-1.8.7.352-13.el6_4.x86_64.rpm ruby-ri-1.8.7.352-13.el6_4.x86_64.rpm ruby-static-1.8.7.352-13.el6_4.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm i386: ruby-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-irb-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-rdoc-1.8.7.352-13.el6_2.i686.rpm ppc64: ruby-1.8.7.352-13.el6_2.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc64.rpm ruby-devel-1.8.7.352-13.el6_2.ppc.rpm ruby-devel-1.8.7.352-13.el6_2.ppc64.rpm ruby-irb-1.8.7.352-13.el6_2.ppc64.rpm ruby-libs-1.8.7.352-13.el6_2.ppc.rpm ruby-libs-1.8.7.352-13.el6_2.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_2.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_2.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390x.rpm ruby-devel-1.8.7.352-13.el6_2.s390.rpm ruby-devel-1.8.7.352-13.el6_2.s390x.rpm ruby-irb-1.8.7.352-13.el6_2.s390x.rpm ruby-libs-1.8.7.352-13.el6_2.s390.rpm ruby-libs-1.8.7.352-13.el6_2.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_2.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_2.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-irb-1.8.7.352-13.el6_2.x86_64.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm i386: ruby-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-irb-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-rdoc-1.8.7.352-13.el6_3.i686.rpm ppc64: ruby-1.8.7.352-13.el6_3.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_3.ppc64.rpm ruby-devel-1.8.7.352-13.el6_3.ppc.rpm ruby-devel-1.8.7.352-13.el6_3.ppc64.rpm ruby-irb-1.8.7.352-13.el6_3.ppc64.rpm ruby-libs-1.8.7.352-13.el6_3.ppc.rpm ruby-libs-1.8.7.352-13.el6_3.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_3.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_3.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_3.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_3.s390x.rpm ruby-devel-1.8.7.352-13.el6_3.s390.rpm ruby-devel-1.8.7.352-13.el6_3.s390x.rpm ruby-irb-1.8.7.352-13.el6_3.s390x.rpm ruby-libs-1.8.7.352-13.el6_3.s390.rpm ruby-libs-1.8.7.352-13.el6_3.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_3.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_3.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.x86_64.rpm ruby-irb-1.8.7.352-13.el6_3.x86_64.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm i386: ruby-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-irb-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-rdoc-1.8.7.352-13.el6_4.i686.rpm ppc64: ruby-1.8.7.352-13.el6_4.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_4.ppc64.rpm ruby-devel-1.8.7.352-13.el6_4.ppc.rpm ruby-devel-1.8.7.352-13.el6_4.ppc64.rpm ruby-irb-1.8.7.352-13.el6_4.ppc64.rpm ruby-libs-1.8.7.352-13.el6_4.ppc.rpm ruby-libs-1.8.7.352-13.el6_4.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_4.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_4.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_4.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_4.s390x.rpm ruby-devel-1.8.7.352-13.el6_4.s390.rpm ruby-devel-1.8.7.352-13.el6_4.s390x.rpm ruby-irb-1.8.7.352-13.el6_4.s390x.rpm ruby-libs-1.8.7.352-13.el6_4.s390.rpm ruby-libs-1.8.7.352-13.el6_4.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_4.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_4.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.x86_64.rpm ruby-irb-1.8.7.352-13.el6_4.x86_64.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-docs-1.8.7.352-13.el6_2.i686.rpm ruby-rdoc-1.8.7.352-13.el6_2.i686.rpm ruby-ri-1.8.7.352-13.el6_2.i686.rpm ruby-static-1.8.7.352-13.el6_2.i686.rpm ruby-tcltk-1.8.7.352-13.el6_2.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_2.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc64.rpm ruby-devel-1.8.7.352-13.el6_2.ppc.rpm ruby-devel-1.8.7.352-13.el6_2.ppc64.rpm ruby-docs-1.8.7.352-13.el6_2.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_2.ppc64.rpm ruby-ri-1.8.7.352-13.el6_2.ppc64.rpm ruby-static-1.8.7.352-13.el6_2.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_2.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_2.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390x.rpm ruby-devel-1.8.7.352-13.el6_2.s390.rpm ruby-devel-1.8.7.352-13.el6_2.s390x.rpm ruby-docs-1.8.7.352-13.el6_2.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_2.s390x.rpm ruby-ri-1.8.7.352-13.el6_2.s390x.rpm ruby-static-1.8.7.352-13.el6_2.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_2.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-docs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm ruby-ri-1.8.7.352-13.el6_2.x86_64.rpm ruby-static-1.8.7.352-13.el6_2.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-docs-1.8.7.352-13.el6_3.i686.rpm ruby-ri-1.8.7.352-13.el6_3.i686.rpm ruby-static-1.8.7.352-13.el6_3.i686.rpm ruby-tcltk-1.8.7.352-13.el6_3.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_3.ppc64.rpm ruby-docs-1.8.7.352-13.el6_3.ppc64.rpm ruby-ri-1.8.7.352-13.el6_3.ppc64.rpm ruby-static-1.8.7.352-13.el6_3.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_3.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_3.s390x.rpm ruby-docs-1.8.7.352-13.el6_3.s390x.rpm ruby-ri-1.8.7.352-13.el6_3.s390x.rpm ruby-static-1.8.7.352-13.el6_3.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_3.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-docs-1.8.7.352-13.el6_3.x86_64.rpm ruby-ri-1.8.7.352-13.el6_3.x86_64.rpm ruby-static-1.8.7.352-13.el6_3.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-docs-1.8.7.352-13.el6_4.i686.rpm ruby-ri-1.8.7.352-13.el6_4.i686.rpm ruby-static-1.8.7.352-13.el6_4.i686.rpm ruby-tcltk-1.8.7.352-13.el6_4.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_4.ppc64.rpm ruby-docs-1.8.7.352-13.el6_4.ppc64.rpm ruby-ri-1.8.7.352-13.el6_4.ppc64.rpm ruby-static-1.8.7.352-13.el6_4.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_4.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_4.s390x.rpm ruby-docs-1.8.7.352-13.el6_4.s390x.rpm ruby-ri-1.8.7.352-13.el6_4.s390x.rpm ruby-static-1.8.7.352-13.el6_4.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_4.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-docs-1.8.7.352-13.el6_4.x86_64.rpm ruby-ri-1.8.7.352-13.el6_4.x86_64.rpm ruby-static-1.8.7.352-13.el6_4.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4164.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSlPJkXlSAg2UNWIIRAmGVAJ0ftFXiZwwEQYrgDr4bmR7n7pvbtQCbB8VQ Q2wQW0K2XmUcezCSz0pyQ2M= =Cisx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-2035-1 November 27, 2013 ruby1.8, ruby1.9.1 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 13.04 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Ruby. (CVE-2013-4164) Vit Ondruch discovered that Ruby did not perform taint checking for certain functions. An attacker could possibly use this issue to bypass certain intended restrictions. (CVE-2013-2065) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: libruby1.8 1.8.7.358-7ubuntu2.1 libruby1.9.1 1.9.3.194-8.1ubuntu2.1 ruby1.8 1.8.7.358-7ubuntu2.1 ruby1.9.1 1.9.3.194-8.1ubuntu2.1 Ubuntu 13.04: libruby1.8 1.8.7.358-7ubuntu1.2 libruby1.9.1 1.9.3.194-8.1ubuntu1.2 ruby1.8 1.8.7.358-7ubuntu1.2 ruby1.9.1 1.9.3.194-8.1ubuntu1.2 Ubuntu 12.10: libruby1.8 1.8.7.358-4ubuntu0.4 libruby1.9.1 1.9.3.194-1ubuntu1.6 ruby1.8 1.8.7.358-4ubuntu0.4 ruby1.9.1 1.9.3.194-1ubuntu1.6 Ubuntu 12.04 LTS: libruby1.8 1.8.7.352-2ubuntu1.4 libruby1.9.1 1.9.3.0-1ubuntu2.8 ruby1.8 1.8.7.352-2ubuntu1.4 ruby1.9.1 1.9.3.0-1ubuntu2.8 In general, a standard system update will make all the necessary changes. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/ruby-1.9.3_p484-i486-1_slack14.1.txz: Upgraded. For more information, see: https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ruby-1.9.3_p484-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ruby-1.9.3_p484-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ruby-1.9.3_p484-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ruby-1.9.3_p484-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ruby-1.9.3_p484-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ruby-1.9.3_p484-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ruby-1.9.3_p484-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ruby-1.9.3_p484-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/ruby-1.9.3_p484-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/ruby-1.9.3_p484-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.1 package: a9c7fc1b752d9dbebf729639768f0ff9 ruby-1.9.3_p484-i486-1_slack13.1.txz Slackware x86_64 13.1 package: b78129d604ac455d1b28d54f28c2742a ruby-1.9.3_p484-x86_64-1_slack13.1.txz Slackware 13.37 package: b195b07dff2bea6a3c4ad26686ed2bfe ruby-1.9.3_p484-i486-1_slack13.37.txz Slackware x86_64 13.37 package: a24d37e579ec1756896fabe5c158a83a ruby-1.9.3_p484-x86_64-1_slack13.37.txz Slackware 14.0 package: 334fab8b88a0474b7ddd551c3f945492 ruby-1.9.3_p484-i486-1_slack14.0.txz Slackware x86_64 14.0 package: ad5cc7610fd06dae0bcae1b89c8b9659 ruby-1.9.3_p484-x86_64-1_slack14.0.txz Slackware 14.1 package: 74555154cbd4bac223f6121f30821f1f ruby-1.9.3_p484-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 172e5c26ed18318e28668820e36ac0a0 ruby-1.9.3_p484-x86_64-1_slack14.1.txz Slackware -current package: b865aec63c8a52ad041ea3d7b6febfda d/ruby-1.9.3_p484-i486-1.txz Slackware x86_64 -current package: 9ddaa67e1d06d2d37eda294b749ff91d d/ruby-1.9.3_p484-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg ruby-1.9.3_p484-i486-1_slack14.1.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-10-16-3 OS X Server v4.0 OS X Server v4.0 is now available and addresses the following: BIND Available for: OS X Yosemite v10.10 or later Impact: Multiple vulnerabilities in BIND, the most serious of which may lead to a denial of service Description: Multiple vulnerabilities existed in BIND. These issues were addressed by updating BIND to version 9.9.2-P2 CVE-ID CVE-2013-3919 CVE-2013-4854 CVE-2014-0591 CoreCollaboration Available for: OS X Yosemite v10.10 or later Impact: A remote attacker may be able to execute arbitrary SQL queries Description: A SQL injection issue existed in Wiki Server. This issue was addressed through additional validation of SQL queries. CVE-ID CVE-2014-4424 : Sajjad Pourali (sajjad@securation.com) of CERT of Ferdowsi University of Mashhad CoreCollaboration Available for: OS X Yosemite v10.10 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-site scripting issue existed in Xcode Server. This issue was addressed through improved encoding of HTML output. CVE-ID CVE-2014-4406 : David Hoyt of Hoyt LLC CoreCollaboration Available for: OS X Yosemite v10.10 or later Impact: Multiple vulnerabilities in PostgreSQL, the most serious of which may lead to arbitrary code execution Description: Multiple vulnerabilities existed in PostgreSQL. These issues were addressed by updating PostgreSQL to version 9.2.7. CVE-ID CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 Mail Service Available for: OS X Yosemite v10.10 or later Impact: Group SACL changes for Mail may not be respected until after a restart of the Mail service Description: SACL settings for Mail were cached and changes to the SACLs were not respected until after a restart of the Mail service. This issue was addressed by resetting the cache upon changes to the SACLs. CVE-ID CVE-2014-4446 : Craig Courtney Profile Manager Available for: OS X Yosemite v10.10 or later Impact: Multiple vulnerabilities in LibYAML, the most serious of which may lead to arbitrary code execution Description: Multiple vulnerabilities existed in LibYAML. These issues were addressed by switching from YAML to JSON as Profile Manager's internal serialization format. CVE-ID CVE-2013-4164 CVE-2013-6393 Profile Manager Available for: OS X Yosemite v10.10 or later Impact: A local user may obtain passwords after setting up or editing profiles in Profile Manager Description: In certain circumstances, setting up or editing profiles in Profile Manager may have logged passwords to a file. This issue was addressed through improved handling of credentials. CVE-ID CVE-2014-4447 : Mayo Jordanov Server Available for: OS X Yosemite v10.10 or later Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling SSL 3.0 support in Web Server, Calendar & Contacts Server, and Remote Administration. CVE-ID CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of Google Security Team ServerRuby Available for: OS X Yosemite v10.10 or later Impact: Running a Ruby script that handles untrusted YAML tags may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in LibYAML's handling of YAML tags. This issue was addressed through additional validation of YAML tags. This issue does not affect systems prior to OS X Mavericks. CVE-ID CVE-2013-6393 OS X Server v4.0 may be obtained from the Mac App Store. Relevant releases/architectures: Management Engine - noarch, x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation enterprises need to address the challenges of managing virtual environments, which are far more complex than physical ones. This technology enables enterprises with existing virtual infrastructures to improve visibility and control, and those just starting virtualization deployments to build and operate a well-managed virtual infrastructure. (CVE-2013-4164) It was found that Red Hat CloudForms Management Engine did not properly sanitize user-supplied values in the ServiceController. (CVE-2014-0057) It was found that several number conversion helpers in Action View did not properly escape all their parameters. An attacker could use these flaws to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user as parameters to the affected helpers. (CVE-2014-0081) A memory consumption issue was discovered in the text rendering component of Action View. A remote attacker could use this flaw to perform a denial of service attack by sending specially crafted queries that would result in the creation of Ruby symbols that were never garbage collected. (CVE-2014-0082) Red Hat would like to thank the Ruby on Rails Project for reporting CVE-2014-0081 and CVE-2014-0082. Upstream acknowledges Kevin Reintjes as the original reporter of CVE-2014-0081, and Toby Hsieh of SlideShare as the original reporter of CVE-2014-0082. This update fixes several bugs and adds multiple enhancements. Documentation for these changes will be available shortly from the Red Hat CloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the References section

Trust: 2.61

sources: NVD: CVE-2013-4164 // JVNDB: JVNDB-2013-005257 // BID: 63873 // PACKETSTORM: 124289 // PACKETSTORM: 124704 // PACKETSTORM: 124191 // PACKETSTORM: 124207 // PACKETSTORM: 124487 // PACKETSTORM: 124176 // PACKETSTORM: 128731 // PACKETSTORM: 125651

AFFECTED PRODUCTS

vendor:ruby langmodel:rubyscope:eqversion:1.8

Trust: 2.4

vendor:ruby langmodel:rubyscope:eqversion:1.9

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:2.0.0

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:1.9.2

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:1.9.1

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:2.1

Trust: 1.6

vendor:ruby langmodel:rubyscope:eqversion:1.9.3

Trust: 1.6

vendor:ruby langmodel:rubyscope:ltversion:2.0

Trust: 0.8

vendor:ruby langmodel:rubyscope:eqversion:1.9.3-p484

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.8.5

Trust: 0.8

vendor:applemodel:macos serverscope:eqversion:3.2.1

Trust: 0.8

vendor:applemodel:macos serverscope:ltversion:(os x mavericks v10.9.5 or later )

Trust: 0.8

vendor:ruby langmodel:rubyscope:eqversion:2.1.0 preview2

Trust: 0.8

vendor:applemodel:macos serverscope:ltversion:(os x yosemite v10.10 or later )

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.7.5

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.9.2

Trust: 0.8

vendor:ruby langmodel:rubyscope:ltversion:2.1

Trust: 0.8

vendor:ruby langmodel:rubyscope:ltversion:1.9

Trust: 0.8

vendor:applemodel:macos serverscope:eqversion:4.0

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.7.5

Trust: 0.8

vendor:ruby langmodel:rubyscope:eqversion:2.0.0-p353

Trust: 0.8

vendor:yukihiromodel:matsumoto ruby devscope:eqversion:1.9.3

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby rc2scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p180scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p136scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p0scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -rc1scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby p431scope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p429scope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p376scope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9.1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9-2

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9-1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p72scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p71scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p22scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p21scope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.7

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p287scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p286scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p230scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p229scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p114scope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.6

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p231scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p230scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p2scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby -p115scope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.5

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.4

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.3

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre4scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre3scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre2scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre1scope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.2

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8.1

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.8

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.1.0-preview1scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.0.0-p247scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.0.0-p195scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:2.0

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p448scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p426scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p392scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p327scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p0scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby pre3scope:eqversion:1.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.1-p430scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.1-p378scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto rubyscope:eqversion:1.9.0-3

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.8devscope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p374scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p357scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p352scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p334scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p330scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p302scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p299scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p249scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p248scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p173scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.7-p160scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p420scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p399scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p388scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p383scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p369scope: - version: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.8.6-p368scope: - version: -

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:13.10

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:13.04

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:12.10

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:12.04

Trust: 0.3

vendor:susemodel:linux enterprise software development kit sp3scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp3 for vmwarescope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp3scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp2 for vmwarescope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise desktop sp3scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise desktop sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:studio onsitescope:eqversion:1.3

Trust: 0.3

vendor:susemodel:linux enterprise software development kit sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:lifecycle management serverscope:eqversion:1.3

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:14.1

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:14.0

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:13.37

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:13.1

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:13.1

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:12.3

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:12.2

Trust: 0.3

vendor:redhatmodel:software collections for rhelscope:eqversion:0

Trust: 0.3

vendor:redhatmodel:openstackscope:eqversion:3.0

Trust: 0.3

vendor:redhatmodel:enterprise linux workstationscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux server eus 6.4.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux server eus 6.3.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux server eus 6.2.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux server ausscope:eqversion:6.4

Trust: 0.3

vendor:redhatmodel:enterprise linux server ausscope:eqversion:6.2

Trust: 0.3

vendor:redhatmodel:enterprise linux serverscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux hpc nodescope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux high availability eus 6.4.zscope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux desktopscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:cloudformsscope:eqversion:3.0

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:3.1

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:2.8.3

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:2.8.2

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:2.8.0

Trust: 0.3

vendor:oraclemodel:solarisscope:eqversion:11.2

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:6.2

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:6

Trust: 0.3

vendor:mandrivamodel:business serverscope:eqversion:1x8664

Trust: 0.3

vendor:mandrivamodel:business serverscope:eqversion:1

Trust: 0.3

vendor:mandrakesoftmodel:enterprise server x86 64scope:eqversion:5

Trust: 0.3

vendor:mandrakesoftmodel:enterprise serverscope:eqversion:5

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:51005.1.1

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:51005.1

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:5.1.2

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

vendor:applemodel:os mavericksscope:eqversion:x10.9.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x3.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x2.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.2

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.1.0-preview2scope:neversion: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 2.0.0-p353scope:neversion: -

Trust: 0.3

vendor:yukihiromodel:matsumoto ruby 1.9.3-p484scope:neversion: -

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:neversion:3.1.1

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:neversion:2.8.4

Trust: 0.3

vendor:applemodel:os mavericksscope:neversion:x10.9.3

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x3.1.2

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x4.0

Trust: 0.3

sources: BID: 63873 // JVNDB: JVNDB-2013-005257 // CNNVD: CNNVD-201311-353 // NVD: CVE-2013-4164

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-4164
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-4164
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201311-353
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2013-4164
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2013-005257 // CNNVD: CNNVD-201311-353 // NVD: CVE-2013-4164

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2013-005257 // NVD: CVE-2013-4164

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201311-353

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201311-353

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-005257

PATCH
title:HT6207url:http://support.apple.com/kb/HT6207
Trust: 0.8
title:HT6248url:http://support.apple.com/kb/HT6248
Trust: 0.8
title:HT6536url:http://support.apple.com/kb/HT6536
Trust: 0.8
title:HT6207url:http://support.apple.com/kb/HT6207?viewlocale=ja_JP
Trust: 0.8
title:HT6248url:http://support.apple.com/kb/HT6248?viewlocale=ja_JP
Trust: 0.8
title:HT6536url:http://support.apple.com/kb/HT6536?viewlocale=ja_JP
Trust: 0.8
title:DSA-2810url:http://www.debian.org/security/2013/dsa-2810
Trust: 0.8
title:openSUSE-SU-2013:1834url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00027.html
Trust: 0.8
title:openSUSE-SU-2013:1835url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00028.html
Trust: 0.8
title:Multiple vulnerabilities in Rubyurl:https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_ruby1
Trust: 0.8
title:Bug 1033460url:https://bugzilla.redhat.com/show_bug.cgi?id=1033460
Trust: 0.8
title:RHSA-2014:0215url:https://rhn.redhat.com/errata/RHSA-2014-0215.html
Trust: 0.8
title:RHSA-2013:1763url:http://rhn.redhat.com/errata/RHSA-2013-1763.html
Trust: 0.8
title:RHSA-2013:1764url:http://rhn.redhat.com/errata/RHSA-2013-1764.html
Trust: 0.8
title:RHSA-2013:1767url:http://rhn.redhat.com/errata/RHSA-2013-1767.html
Trust: 0.8
title:RHSA-2014:0011url:https://rhn.redhat.com/errata/RHSA-2014-0011.html
Trust: 0.8
title:Ruby 2.0.0-p353 is releasedurl:https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released
Trust: 0.8
title:Ruby 1.9.3-p484 is releasedurl:https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released
Trust: 0.8
title:Heap Overflow in Floating Point Parsing (CVE-2013-4164)url:https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164
Trust: 0.8
title:CVE-2013-4164 Buffer Errors vulnerability in Rubyurl:https://blogs.oracle.com/sunsecurity/entry/cve_2013_4164_buffer_errors
Trust: 0.8
title:ruby-2.0.0-p353url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49037
Trust: 0.6
title:ruby-2.1.0-preview2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49041
Trust: 0.6
title:ruby-1.9.3-p484url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49036
Trust: 0.6
title:ruby-2.1.0-preview2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49040
Trust: 0.6
title:ruby-1.9.3-p484url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49034
Trust: 0.6
title:ruby-2.0.0-p353url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49039
Trust: 0.6
title:ruby-1.9.3-p484url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49032
Trust: 0.6
title:ruby-2.0.0-p353url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49038
Trust: 0.6
title:ruby-2.1.0-preview2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49042
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2013-005257 // 
            
            
            
            CNNVD: CNNVD-201311-353

EXTERNAL IDS
db:NVDid:CVE-2013-4164
Trust: 3.5
db:OSVDBid:100113
Trust: 1.6
db:SECUNIAid:55787
Trust: 1.6
db:BIDid:63873
Trust: 1.3
db:SECUNIAid:57376
Trust: 1.0
db:JVNid:JVNVU95860341
Trust: 0.8
db:JVNid:JVNVU97537282
Trust: 0.8
db:JVNDBid:JVNDB-2013-005257
Trust: 0.8
db:CNNVDid:CNNVD-201311-353
Trust: 0.6
db:PACKETSTORMid:124289
Trust: 0.1
db:PACKETSTORMid:124704
Trust: 0.1
db:PACKETSTORMid:124191
Trust: 0.1
db:PACKETSTORMid:124207
Trust: 0.1
db:PACKETSTORMid:124487
Trust: 0.1
db:PACKETSTORMid:124176
Trust: 0.1
db:PACKETSTORMid:128731
Trust: 0.1
db:PACKETSTORMid:125651
Trust: 0.1
sources:
            
            
            BID: 63873 // 
            
            
            
            JVNDB: JVNDB-2013-005257 // 
            
            
            
            PACKETSTORM: 124289 // 
            
            
            
            PACKETSTORM: 124704 // 
            
            
            
            PACKETSTORM: 124191 // 
            
            
            
            PACKETSTORM: 124207 // 
            
            
            
            PACKETSTORM: 124487 // 
            
            
            
            PACKETSTORM: 124176 // 
            
            
            
            PACKETSTORM: 128731 // 
            
            
            
            PACKETSTORM: 125651 // 
            
            
            
            CNNVD: CNNVD-201311-353 // 
            
            
            
            NVD: CVE-2013-4164

REFERENCES
url:http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html
Trust: 1.8
url:http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
Trust: 1.8
url:https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released
Trust: 1.6
url:https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released
Trust: 1.6
url:https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164
Trust: 1.6
url:http://secunia.com/advisories/55787
Trust: 1.6
url:http://osvdb.org/100113
Trust: 1.6
url:http://rhn.redhat.com/errata/rhsa-2013-1767.html
Trust: 1.4
url:http://rhn.redhat.com/errata/rhsa-2014-0011.html
Trust: 1.4
url:http://rhn.redhat.com/errata/rhsa-2014-0215.html
Trust: 1.4
url:http://rhn.redhat.com/errata/rhsa-2013-1764.html
Trust: 1.4
url:https://support.apple.com/kb/ht6536
Trust: 1.3
url:http://rhn.redhat.com/errata/rhsa-2013-1763.html
Trust: 1.3
url:http://www.ubuntu.com/usn/usn-2035-1
Trust: 1.1
url:http://www.debian.org/security/2013/dsa-2810
Trust: 1.0
url:https://puppet.com/security/cve/cve-2013-4164
Trust: 1.0
url:http://www.debian.org/security/2013/dsa-2809
Trust: 1.0
url:http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00009.html
Trust: 1.0
url:http://secunia.com/advisories/57376
Trust: 1.0
url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00027.html
Trust: 1.0
url:http://www.securityfocus.com/bid/63873
Trust: 1.0
url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00028.html
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4164
Trust: 0.9
url:http://jvn.jp/vu/jvnvu95860341/index.html
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97537282/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4164
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2013-4164
Trust: 0.8
url:https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
Trust: 0.4
url:https://www.redhat.com/mailman/listinfo/rhsa-announce
Trust: 0.4
url:https://access.redhat.com/security/team/key/#package
Trust: 0.4
url:https://access.redhat.com/site/articles/11258
Trust: 0.4
url:https://bugzilla.redhat.com/):
Trust: 0.4
url:https://access.redhat.com/security/updates/classification/#critical
Trust: 0.4
url:https://www.redhat.com/security/data/cve/cve-2013-4164.html
Trust: 0.4
url:https://access.redhat.com/security/team/contact/
Trust: 0.4
url:http://seclists.org/bugtraq/2014/apr/133
Trust: 0.3
url:http://puppetlabs.com/security/cve/cve-2013-4164
Trust: 0.3
url:http://www.ruby-lang.org
Trust: 0.3
url:http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2013&m=slackware-security.484609
Trust: 0.3
url:https://blogs.oracle.com/sunsecurity/entry/cve_2013_4164_buffer_errors
Trust: 0.3
url:http://www-01.ibm.com/support/docview.wss?uid=swg21665279
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2013-1821
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-4073
Trust: 0.1
url:http://www.debian.org/security/faq
Trust: 0.1
url:http://www.debian.org/security/
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-1ubuntu1.6
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.352-2ubuntu1.4
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-2065
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.358-7ubuntu1.2
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.0-1ubuntu2.8
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.358-4ubuntu0.4
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-8.1ubuntu2.1
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-8.1ubuntu1.2
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.358-7ubuntu2.1
Trust: 0.1
url:http://slackware.com
Trust: 0.1
url:http://osuosl.org)
Trust: 0.1
url:http://slackware.com/gpg-key
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0064
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-6393
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0063
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0061
Trust: 0.1
url:http://support.apple.com/kb/ht1222
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-4406
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-4854
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0591
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0066
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0062
Trust: 0.1
url:https://www.apple.com/support/security/pgp/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0060
Trust: 0.1
url:http://gpgtools.org
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-3919
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-4424
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0065
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-4446
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-4447
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-3566
Trust: 0.1
url:https://access.redhat.com/site/documentation/en-us/cloudforms/3.0/html/management_engine_5.2_technical_notes/index.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0082
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-0081.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0057
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0081
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-0057.html
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-0082.html
Trust: 0.1
sources:
            
            
            BID: 63873 // 
            
            
            
            JVNDB: JVNDB-2013-005257 // 
            
            
            
            PACKETSTORM: 124289 // 
            
            
            
            PACKETSTORM: 124704 // 
            
            
            
            PACKETSTORM: 124191 // 
            
            
            
            PACKETSTORM: 124207 // 
            
            
            
            PACKETSTORM: 124487 // 
            
            
            
            PACKETSTORM: 124176 // 
            
            
            
            PACKETSTORM: 128731 // 
            
            
            
            PACKETSTORM: 125651 // 
            
            
            
            CNNVD: CNNVD-201311-353 // 
            
            
            
            NVD: CVE-2013-4164

CREDITS
Red Hat
Trust: 0.4
sources:
            
            
            PACKETSTORM: 124704 // 
            
            
            
            PACKETSTORM: 124191 // 
            
            
            
            PACKETSTORM: 124176 // 
            
            
            
            PACKETSTORM: 125651

SOURCES
db:BIDid:63873
db:JVNDBid:JVNDB-2013-005257
db:PACKETSTORMid:124289
db:PACKETSTORMid:124704
db:PACKETSTORMid:124191
db:PACKETSTORMid:124207
db:PACKETSTORMid:124487
db:PACKETSTORMid:124176
db:PACKETSTORMid:128731
db:PACKETSTORMid:125651
db:CNNVDid:CNNVD-201311-353
db:NVDid:CVE-2013-4164

LAST UPDATE DATE
2025-01-14T21:05:26.771000+00:00

SOURCES UPDATE DATE
db:BIDid:63873date:2015-04-13T21:19:00
db:JVNDBid:JVNDB-2013-005257date:2015-08-10T00:00:00
db:CNNVDid:CNNVD-201311-353date:2013-11-29T00:00:00
db:NVDid:CVE-2013-4164date:2024-11-21T01:55:00.143

SOURCES RELEASE DATE
db:BIDid:63873date:2013-11-22T00:00:00
db:JVNDBid:JVNDB-2013-005257date:2013-11-27T00:00:00
db:PACKETSTORMid:124289date:2013-12-05T04:52:34
db:PACKETSTORMid:124704date:2014-01-08T00:11:54
db:PACKETSTORMid:124191date:2013-11-27T16:32:20
db:PACKETSTORMid:124207date:2013-11-27T23:33:00
db:PACKETSTORMid:124487date:2013-12-18T01:02:13
db:PACKETSTORMid:124176date:2013-11-26T01:47:59
db:PACKETSTORMid:128731date:2014-10-17T15:07:38
db:PACKETSTORMid:125651date:2014-03-11T21:31:51
db:CNNVDid:CNNVD-201311-353date:2013-11-29T00:00:00
db:NVDid:CVE-2013-4164date:2013-11-23T19:55:03.517