Bug 1002364 (CVE-2013-4287)
Summary: | CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aortega, apevec, athomas, ayoung, bdunne, bkearney, bleanhar, ccoleman, chrisw, cpelland, dcleal, dmcphers, drieden, esammons, gkotton, gmollett, iboverma, iheim, jdetiber, jfrey, jialiu, jkurik, jrafanie, jross, jrusnack, jstribny, katello-bugs, kseifried, lhh, lmeyer, markmc, mastahnke, matt, mcressma, mmaslano, mmccune, mmcgrath, mrg-program-list, mtasaka, nobody+bgollahe, obarenbo, ohadlevy, ohochman, pfrields, rbryant, rhos-maint, sclewis, security-response-team, tdawson, vanmeeuwen+fedora, vondruch, xlecauch, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygems 2.1.0, rubygems 2.0.8, rubygems 1.8.26, rubygems 1.8.23.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-01-21 07:51:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1002838, 1002839, 1002841, 1002842, 1002843, 1002844, 1002845, 1002847, 1002848, 1005269, 1006429, 1006440, 1012267, 1012780, 1012789, 1061934, 1159439 | ||
Bug Blocks: | 1002366, 1034635 |
Description
Vincent Danen
2013-08-29 03:20:40 UTC
Fixed in: RubyGems 2.1.0, 2.0.8, 1.8.26 and 1.8.23.1 External references: http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html Patch links from the upstream announcement: - patch for RubyGems 2.1.0.rc.2, released as RubyGems 2.1.0: https://github.com/rubygems/rubygems/commit/938a7e31ac73655845ab9045629ff3f580a125da - patch for RubyGems 2.0.7, released as RubyGems 2.0.8: https://github.com/rubygems/rubygems/commit/b9baec03145aed684d1cd3c87dcac3cc06becd9b - patch for RubyGems 1.8.25, released as RubyGems 1.8.26: https://github.com/rubygems/rubygems/commit/ed733bc379d75620f5be4213f89d1d7b38be3191 - patch for RubyGems 1.8.23, released as RubyGems 1.8.23.1: https://github.com/rubygems/rubygems/commit/b697536f2455e8c8853cf5cf8a1017a36031ed67 There is an indication that upstream fix does not correctly fix all cases: http://thread.gmane.org/gmane.comp.security.oss.general/11085/focus=11114 Upstream update addressing additional concerns is expected early next week: http://thread.gmane.org/gmane.comp.security.oss.general/11085/focus=11130 (In reply to Tomas Hoger from comment #14) > Upstream update addressing additional concerns is expected early next week: > > http://thread.gmane.org/gmane.comp.security.oss.general/11085/focus=11130 Upstream update is now available, see bug 1009720, comment 1. This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2013:1427 https://rhn.redhat.com/errata/RHSA-2013-1427.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1441 https://rhn.redhat.com/errata/RHSA-2013-1441.html This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1523 https://rhn.redhat.com/errata/RHSA-2013-1523.html This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2013:1852 https://rhn.redhat.com/errata/RHSA-2013-1852.html This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 2.0 Via RHSA-2014:0207 https://rhn.redhat.com/errata/RHSA-2014-0207.html Statement: Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift. SAM-1 uses rubygems as a dependency and does not directly download or install additional ruby gems once installed. |