SB2012102310 - Amazon Linux AMI update for ruby

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2012102310

SB2012102310 - Amazon Linux AMI update for ruby

Published: October 23, 2012

Security Bulletin ID SB2012102310
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2011-1005)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-4466)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.


Remediation

Install update from vendor's website.

References