This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected Fedora versions. For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please include this bug ID and the bug IDs of this bug's parent bugs filed against the "Security Response" product (the top-level CVE bugs). Please mention the CVE IDs being fixed in the RPM changelog when available. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=862906 Please note: this issue affects multiple supported versions of Fedora. Only one tracking bug has been filed; please ensure that it is only closed when all affected versions are fixed. [bug automatically created by: add-tracking-bugs]
This affects F17 and later (not F16).
Reference CVE-2012-4464 in this one too, since it's the same situation (F-16 not affected, F-17 and later affected). => this bug is from now for both: 1) CVE-2012-4464 and 2) CVE-2012-4466 issues.
(In reply to comment #1) > This affects F17 and later (not F16). "This" means -4464, and -4466 affects F-18,17,16, right?
(In reply to comment #3) > (In reply to comment #1) > > This affects F17 and later (not F16). > > "This" means -4464, and -4466 affects F-18,17,16, right? 1) For CVE-2012-4464 this would affect F-18 and F-17: https://bugzilla.redhat.com/show_bug.cgi?id=862598#c2 but not Fedora-16 yet (since we ship 1.8.x based ruby version there), 2) For CVE-2012-4466 this would affect F-18 and F-17, but not F-16. Though this is reported to affected both ruby 1.9.x and ruby 1.8.x versions, I have checked yesterday that F-16 ruby doesn't contain OBJ_INFECT() clause in name_err_mesg_to_str() method yet (which upstream patch: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 is fixing. Note: That patch covers both issues / is the same for both of them). So it's enough to schedule F-18 and F-17 updates for these two.
ruby-1.9.3.194-18.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/ruby-1.9.3.194-18.fc18
ruby-1.9.3.194-17.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/ruby-1.9.3.194-17.fc17
(In reply to comment #3) > (In reply to comment #1) > > This affects F17 and later (not F16). > > "This" means -4464, and -4466 affects F-18,17,16, right? Hi Mamoru, I have confirmed from upstream, that the patch you applied to F16 is correct. In other words, 1.8.7 is vulnerable to both CVE-2012-4464 and CVE-2012-4466 as well.
(In reply to comment #7) > (In reply to comment #3) > > (In reply to comment #1) > > > This affects F17 and later (not F16). > > > > "This" means -4464, and -4466 affects F-18,17,16, right? > > Hi Mamoru, > > I have confirmed from upstream, that the patch you applied to F16 is > correct. In other words, 1.8.7 is vulnerable to both CVE-2012-4464 and > CVE-2012-4466 as well. Okay, thank you for confirming (and asking upstream).
ruby-1.8.7.358-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/ruby-1.8.7.358-4.fc16
ruby-1.9.3.194-18.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
ruby-1.9.3.194-17.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
ruby-1.8.7.358-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Fixed on all Fedora branches.