Debian-Sicherheitsankündigung

DSA-1157-1 ruby1.8 -- Mehrere Verwundbarkeiten

Datum des Berichts:

27. Aug 2006

Betroffene Pakete:

ruby1.8

Verwundbar:

Sicherheitsdatenbanken-Referenzen:

In der Debian-Fehlerdatenbank: Fehler 378029, Fehler 365520.
In Mitres CVE-Verzeichnis: CVE-2006-3694, CVE-2006-1931.

Weitere Informationen:

Mehrere Verwundbarkeiten wurden im Interpreter der Sprache Ruby entdeckt, was zur Umgehung der Sicherheitsbeschränkungen oder zu einer Diensteverweigerung (denial of service) führen kann. Das Common Vulnerabilities and Exposures Project identifiziert die folgenden Probleme:

CVE-2006-1931
Es wurde entdeckt, dass die Verwendung von blockierenden Sockets zu einer Diensteverweigerung (denial of service) führen kann.
CVE-2006-3964
Es wurde entdeckt, dass Ruby safe levels für Aliasing, Verzeichniszugriffe und reguläre Ausdrücke nicht korrekt verwaltet, was dazu führen kann, dass Sicherheitsbeschränkungen umgangen werden können.

Für die Stable-Distribution (Sarge) wurden diese Probleme in Version 1.8.2-7sarge4 behoben.

Für die Unstable-Distribution (Sid) wurden diese Probleme in Version 1.8.4-3 behoben.

Wir empfehlen Ihnen, Ihre Ruby-Pakete zu aktualisieren.

Behoben in:

Debian GNU/Linux 3.1 (sarge)

Quellcode:: http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4.dsc; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4.diff.gz; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2.orig.tar.gz
Architektur-unabhängige Dateien:: http://security.debian.org/pool/updates/main/r/ruby1.8/irb1.8_1.8.2-7sarge4_all.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/rdoc1.8_1.8.2-7sarge4_all.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ri1.8_1.8.2-7sarge4_all.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-elisp_1.8.2-7sarge4_all.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-examples_1.8.2-7sarge4_all.deb
Alpha:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_alpha.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_alpha.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_alpha.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_alpha.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_alpha.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_alpha.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_alpha.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_alpha.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_amd64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_amd64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_amd64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_amd64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_amd64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_amd64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_amd64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_amd64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_arm.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_arm.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_arm.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_arm.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_arm.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_arm.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_arm.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_arm.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_i386.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_i386.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_i386.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_i386.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_i386.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_i386.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_i386.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_i386.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_ia64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_ia64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_ia64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_ia64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_ia64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_ia64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_ia64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_ia64.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_hppa.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_hppa.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_hppa.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_hppa.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_hppa.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_hppa.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_hppa.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_hppa.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_m68k.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_m68k.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_m68k.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_m68k.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_m68k.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_m68k.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_m68k.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_m68k.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_mips.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_mips.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_mips.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_mips.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_mips.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_mips.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_mips.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_mips.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_mipsel.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_mipsel.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_mipsel.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_mipsel.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_mipsel.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_mipsel.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_mipsel.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_mipsel.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_powerpc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_powerpc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_powerpc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_powerpc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_powerpc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_powerpc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_powerpc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_powerpc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_s390.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_s390.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_s390.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_s390.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_s390.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_s390.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_s390.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_s390.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge4_sparc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge4_sparc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge4_sparc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge4_sparc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge4_sparc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge4_sparc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge4_sparc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge4_sparc.deb; http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge4_sparc.deb

MD5-Prüfsummen der aufgeführten Dateien stehen in der ursprünglichen Sicherheitsankündigung zur Verfügung.