Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-4464 CVE-2012-4466 ruby: various flaws [fedora-all]|
|Product:||[Fedora] Fedora||Reporter:||Vincent Danen <vdanen>|
|Component:||ruby||Assignee:||Jeroen van Meeuwen <vanmeeuwen+fedora>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||17||CC:||bkabrda, jeremy, jlieskov, mmorsi, mtasaka, tagoh, vanmeeuwen+fedora, vondruch|
|Target Milestone:||---||Keywords:||Security, SecurityTracking|
|Fixed In Version:||Doc Type:||Release Note|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-10-14 00:09:58 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
|Bug Blocks:||862598, 862614|
Description Vincent Danen 2012-10-03 16:50:23 EDT
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected Fedora versions. For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please include this bug ID and the bug IDs of this bug's parent bugs filed against the "Security Response" product (the top-level CVE bugs). Please mention the CVE IDs being fixed in the RPM changelog when available. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=862906 Please note: this issue affects multiple supported versions of Fedora. Only one tracking bug has been filed; please ensure that it is only closed when all affected versions are fixed. [bug automatically created by: add-tracking-bugs]
Comment 1 Vincent Danen 2012-10-03 16:59:20 EDT
This affects F17 and later (not F16).
Comment 2 Jan Lieskovsky 2012-10-04 04:56:13 EDT
Reference CVE-2012-4464 in this one too, since it's the same situation (F-16 not affected, F-17 and later affected). => this bug is from now for both: 1) CVE-2012-4464 and 2) CVE-2012-4466 issues.
Comment 3 Mamoru TASAKA 2012-10-04 09:20:07 EDT
(In reply to comment #1) > This affects F17 and later (not F16). "This" means -4464, and -4466 affects F-18,17,16, right?
Comment 4 Jan Lieskovsky 2012-10-04 09:46:10 EDT
(In reply to comment #3) > (In reply to comment #1) > > This affects F17 and later (not F16). > > "This" means -4464, and -4466 affects F-18,17,16, right? 1) For CVE-2012-4464 this would affect F-18 and F-17: https://bugzilla.redhat.com/show_bug.cgi?id=862598#c2 but not Fedora-16 yet (since we ship 1.8.x based ruby version there), 2) For CVE-2012-4466 this would affect F-18 and F-17, but not F-16. Though this is reported to affected both ruby 1.9.x and ruby 1.8.x versions, I have checked yesterday that F-16 ruby doesn't contain OBJ_INFECT() clause in name_err_mesg_to_str() method yet (which upstream patch: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 is fixing. Note: That patch covers both issues / is the same for both of them). So it's enough to schedule F-18 and F-17 updates for these two.
Comment 5 Fedora Update System 2012-10-04 12:27:07 EDT
ruby-188.8.131.52-18.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/ruby-184.108.40.206-18.fc18
Comment 6 Fedora Update System 2012-10-04 12:27:52 EDT
ruby-220.127.116.11-17.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/ruby-18.104.22.168-17.fc17
Comment 7 Vít Ondruch 2012-10-05 03:33:08 EDT
(In reply to comment #3) > (In reply to comment #1) > > This affects F17 and later (not F16). > > "This" means -4464, and -4466 affects F-18,17,16, right? Hi Mamoru, I have confirmed from upstream, that the patch you applied to F16 is correct. In other words, 1.8.7 is vulnerable to both CVE-2012-4464 and CVE-2012-4466 as well.
Comment 8 Mamoru TASAKA 2012-10-05 05:10:49 EDT
(In reply to comment #7) > (In reply to comment #3) > > (In reply to comment #1) > > > This affects F17 and later (not F16). > > > > "This" means -4464, and -4466 affects F-18,17,16, right? > > Hi Mamoru, > > I have confirmed from upstream, that the patch you applied to F16 is > correct. In other words, 1.8.7 is vulnerable to both CVE-2012-4464 and > CVE-2012-4466 as well. Okay, thank you for confirming (and asking upstream).
Comment 9 Fedora Update System 2012-10-05 05:54:10 EDT
ruby-22.214.171.1248-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/ruby-126.96.36.1998-4.fc16
Comment 10 Fedora Update System 2012-10-08 20:29:29 EDT
ruby-188.8.131.52-18.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-10-13 23:50:42 EDT
ruby-184.108.40.206-17.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-10-13 23:52:38 EDT
ruby-220.127.116.118-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Mamoru TASAKA 2012-10-14 00:09:58 EDT
Fixed on all Fedora branches.