Bug 814718 (CVE-2012-2125, CVE-2012-2126)
| Summary: | CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23 | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bkabrda, djorm, hbrock, jrusnack, mastahnke, mmcgrath, mmorsi, morazi, mtasaka, vanmeeuwen+fedora, vondruch |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rubygem 1.8.23 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-18 20:35:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 814724, 814725, 814759, 847393, 903992, 988679, 1002838, 1002839, 1002841, 1002842, 1002843 | ||
| Bug Blocks: | 814763, 869077, 1034635 | ||
|
Description
Jan Lieskovsky
2012-04-20 14:22:50 UTC
These issues affect the versions of the rubygems package, as shipped with Red Hat Enterprise Linux 6. -- These issues affect the versions of the rubygems package, as shipped with Fedora release of 15 and 16. Please schedule the updates. -- These issues affect the version of the rubygems package, as shipped with Fedora EPEL 5. Please schedule the update. Created rubygems tracking bugs for this issue Affects: fedora-all [bug 814724] Affects: epel-5 [bug 814725] CVE Request: [3] http://www.openwall.com/lists/oss-security/2012/04/20/23 Created jruby tracking bugs for this issue Affects: fedora-16 [bug 814759] These issues affect the version of the jruby package, as shipped with Fedora release of 16. Please schedule an update. The CVE identifier of CVE-2012-2125 has been assigned to the: * #1 RubyGems now disallows redirection from HTTPS to HTTP. issue and identifier of CVE-2012-2126 has been assigned to the: * #2 RubyGems now verifies SSL connections. issue: http://www.openwall.com/lists/oss-security/2012/04/20/24 JBoss Enterprise SOA Platform includes jruby.jar as part of the scripting_chain quickstart. It is only deployed if you use this quickstart. jruby.jar does not include rubygems; this is provided by another component of the jruby distribution which is not included by JBoss Enterprise SOA Platform. Therefore JBoss Enterprise SOA Platform is not affected by these flaws in rubygems. rubygems-1.7.2-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. rubygems-1.8.11-3.fc16.1 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. rubygems-1.8.23-20.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Statement: The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates. This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 1.2 Via RHSA-2013:1203 https://rhn.redhat.com/errata/RHSA-2013-1203.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1441 https://rhn.redhat.com/errata/RHSA-2013-1441.html This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2013:1852 https://rhn.redhat.com/errata/RHSA-2013-1852.html SAM-1 uses rubygems as a dependency and does not directly download or install additional ruby gems once installed. |