blob: 284eed84737ba847faf8a6fbf70eea21229e421e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
<define-tag description>LTS security update</define-tag>
<define-tag moreinfo>
<ul>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2011-0188">CVE-2011-0188</a>
<p>The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7
and other platforms, does not properly allocate memory, which allows
context-dependent attackers to execute arbitrary code or cause a
denial of service (application crash) via vectors involving creation
of a large BigDecimal value within a 64-bit process, related to an
"integer truncation issue."</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2011-2705">CVE-2011-2705</a>
<p>use upstream SVN r32050 to modify PRNG state to prevent random number
sequence repeatation at forked child process which has same pid.
Reported by Eric Wong.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2012-4522">CVE-2012-4522</a>
<p>The rb_get_path_check function in file.c in Ruby 1.9.3 before
patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent
attackers to create files in unexpected locations or with unexpected
names via a NUL byte in a file path.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2013-0256">CVE-2013-0256</a>
<p>darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before
4.0.0.preview2.1, as used in Ruby, does not properly generate
documents, which allows remote attackers to conduct cross-site
scripting (XSS) attacks via a crafted URL.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2013-2065">CVE-2013-2065</a>
<p>(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426,
and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for
native functions, which allows context-dependent attackers to bypass
intended $SAFE level restrictions.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2015-1855">CVE-2015-1855</a>
<p>OpenSSL extension hostname matching implementation violates RFC 6125</p></li>
</ul>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/lts/security/2015/dla-235.data"
# $Id$
|
