Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3905 to the following vulnerability: resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. References: http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ http://www.openwall.com/lists/oss-security/2008/09/04/9 Upstream patch: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=18424
ruby-1.8.6.287-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0897.html http://rhn.redhat.com/errata/RHSA-2008-0896.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8736 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8738