Description of problem: Ruby upstream has announced multiple security vulnerabilities related with not proper Ruby access restriction to critical variables and methods at various safe levels: a, untrace_var is permitted at safe level 4. Affects: rhel-2.1->rhel-5.3 Proposed patch: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17692 b, $PROGRAM_NAME may be modified at safe level 4. Doesn't Affect: rhel-2.1->rhel-4.8 Affects: rhel-5.2.z, rhel-5.3 Proposed patch: ? c, Insecure methods may be called at safe level 1-3 Affects: rhel-2.1->rhel-5.3 Proposed patch: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17696 d, Syslog operations are permitted at safe level 4. Affects: rhel-2.1->rhel-5.3 Proposed patch: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17809 Version-Release number of selected component (if applicable): All versions of the Ruby package as shipped with Red Hat Enterprise Linux 2.1, 3, 4 and 5. How reproducible: Always Steps to Reproduce: See reproducers. Additional info -- public mention of this issue: http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
*** Bug 458789 has been marked as a duplicate of this bug. ***
d. doesn't affect rhel2.1 - syslog module was available since 1.6.6 and we have shipped 1.6.4 for rhel2.1. FYI.
ruby-1.8.6.287-2.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/ruby-1.8.6.287-2.fc8
ruby-1.8.6.287-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ruby-1.8.6.287-2.fc9
ruby-1.8.6.287-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
ruby-1.8.6.287-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0897.html http://rhn.redhat.com/errata/RHSA-2008-0895.html http://rhn.redhat.com/errata/RHSA-2008-0896.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8736 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8738