4.276. ruby

Updated ruby packages that fix two security issues, various bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

Security Fixes

CVE-2011-3009
It was found that Ruby did not reinitialize the PRNG (pseudorandom number generator) after forking a child process. This could eventually lead to the PRNG returning the same result twice. An attacker keeping track of the values returned by one child process could use this flaw to predict the values the PRNG would return in other child processes (as long as the parent process persisted).
CVE-2011-2705
A flaw was found in the Ruby SecureRandom module. When using the SecureRandom.random_bytes class, the PRNG state was not modified after forking a child process. This could eventually lead to SecureRandom.random_bytes returning the same string more than once. An attacker keeping track of the strings returned by one child process could use this flaw to predict the strings SecureRandom.random_bytes would return in other child processes (as long as the parent process persisted).

Bug Fixes

BZ#706332
The ruby package has been upgraded to upstream point release 1.8.7-p352, which provides a number of bug fixes over the previous version.
BZ#717709
The MD5 message-digest algorithm is not a FIPS-approved algorithm. Consequently, when a Ruby script attempted to calculate an MD5 checksum in FIPS mode, the interpreter terminated unexpectedly. This bug has been fixed and an exception is now raised in the described scenario.
BZ#730287
Due to inappropriately handled line continuations in the mkconfig.rb source file, an attempt to build the ruby package resulted in unexpected termination. An upstream patch has been applied to address this issue and the ruby package can now be built properly.
BZ#674787
When the 32-bit ruby-libs library was installed on a 64-bit machine, the mkmf library failed to load various modules necessary for building Ruby-related packages. This bug has been fixed and mkmf now works properly in the described scenario.
BZ#722887
Previously, the load paths for scripts and binary modules were duplicated on the i386 architecture. Consequently, an ActiveSupport test failed. With this update, the load paths are no longer stored in duplicates on the i386 architecture.

Enhancement

BZ#673162
With this update, SystemTap probes have been added to the ruby package.
All users of ruby are advised to upgrade to these updated packages, which resolve these issues and add this enhancement.
Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

Security Fix

CVE-2011-4815
A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions.
Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters.
All users of ruby are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.
Updated ruby packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Ruby is an extensible, interpreted, object-oriented scripting language. It has features to process text files and to do system management tasks.

Bug Fix

BZ#799959
If a marshaled object contained multiple child objects and the call to the Marshal.load method was interrupted by a context switch, a segmentation fault could have been triggered. This was due to a thread-safety bug in the Ruby interpreter and could affect multiple packages. To prevent segmentation faults from occurring, the destination string is marked, and data tables that are identical with symbol tables are cleared.
All users of ruby are advised to upgrade to these updated packages, which fix this bug.
Enhanced ruby packages are now available for Red Hat Enterprise Linux 6.
[Updated 6 Apr 2011] The text of this advisory has been updated to reflect the fact that these packages are not new in Red Hat Enterprise Linux 6.
Ruby is an interpreted scripting language for quick-and-easy object-oriented programming. It has many features to process text files and perform system management tasks, similar to Perl. It is simple, straight-forward, and extensible.
This enhancement update moves the ruby-rdoc and ruby-devel packages from the Red Hat Enterprise Linux 6 Optional channels to the Red Hat Enterprise Linux 6 base channels. This update does not make any other changes to packages. (BZ#810128)
All users who require ruby should install these enhanced packages.