I ran across this issue in the Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064 http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237 It seems that by executing an XMLRPC server in ruby in this manner: s.add_handler(XMLRPC::iPIMethods("sample") It becomes possible to execute any arbitrary commands within the XMLRPC server.
Attaching a note to the gentoo-advisory - I think it's related. Version in FC3/FC4 are also affected - should we file a related bugs for those? http://www.gentoo.org/security/en/glsa/glsa-200507-10.xml
It seems Debian ships with a fix? http://www.debian.org/security/2005/dsa-748
Comment #7: for FC, it was already there: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161096 Look, this is a bug for RHEL4. Comment #8: So? We've already shipped. https://www.redhat.com/archives/fedora-announce-list/2005-June/msg00058.html https://www.redhat.com/archives/fedora-announce-list/2005-June/msg00059.html
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-543.html