Bug 862907
Summary: | CVE-2012-4464 CVE-2012-4466 ruby: various flaws [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Vincent Danen <vdanen> |
Component: | ruby | Assignee: | Jeroen van Meeuwen <vanmeeuwen+fedora> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 17 | CC: | bkabrda, jeremy, jlieskov, mmorsi, mtasaka, tagoh, vanmeeuwen+fedora, vondruch |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-10-14 04:09:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 862598, 862614 |
Description
Vincent Danen
2012-10-03 20:50:23 UTC
This affects F17 and later (not F16). Reference CVE-2012-4464 in this one too, since it's the same situation (F-16 not affected, F-17 and later affected). => this bug is from now for both: 1) CVE-2012-4464 and 2) CVE-2012-4466 issues. (In reply to comment #1) > This affects F17 and later (not F16). "This" means -4464, and -4466 affects F-18,17,16, right? (In reply to comment #3) > (In reply to comment #1) > > This affects F17 and later (not F16). > > "This" means -4464, and -4466 affects F-18,17,16, right? 1) For CVE-2012-4464 this would affect F-18 and F-17: https://bugzilla.redhat.com/show_bug.cgi?id=862598#c2 but not Fedora-16 yet (since we ship 1.8.x based ruby version there), 2) For CVE-2012-4466 this would affect F-18 and F-17, but not F-16. Though this is reported to affected both ruby 1.9.x and ruby 1.8.x versions, I have checked yesterday that F-16 ruby doesn't contain OBJ_INFECT() clause in name_err_mesg_to_str() method yet (which upstream patch: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 is fixing. Note: That patch covers both issues / is the same for both of them). So it's enough to schedule F-18 and F-17 updates for these two. ruby-1.9.3.194-18.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/ruby-1.9.3.194-18.fc18 ruby-1.9.3.194-17.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/ruby-1.9.3.194-17.fc17 (In reply to comment #3) > (In reply to comment #1) > > This affects F17 and later (not F16). > > "This" means -4464, and -4466 affects F-18,17,16, right? Hi Mamoru, I have confirmed from upstream, that the patch you applied to F16 is correct. In other words, 1.8.7 is vulnerable to both CVE-2012-4464 and CVE-2012-4466 as well. (In reply to comment #7) > (In reply to comment #3) > > (In reply to comment #1) > > > This affects F17 and later (not F16). > > > > "This" means -4464, and -4466 affects F-18,17,16, right? > > Hi Mamoru, > > I have confirmed from upstream, that the patch you applied to F16 is > correct. In other words, 1.8.7 is vulnerable to both CVE-2012-4464 and > CVE-2012-4466 as well. Okay, thank you for confirming (and asking upstream). ruby-1.8.7.358-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/ruby-1.8.7.358-4.fc16 ruby-1.9.3.194-18.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. ruby-1.9.3.194-17.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. ruby-1.8.7.358-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. Fixed on all Fedora branches. |