Updated ruby packages fix CVE-2014-8080
Publication date: 14 Nov 2014Modification date: 14 Nov 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-8080
Description
Updated ruby packages fix security vulnerability:
Due to unrestricted entity expansion, when reading text nodes from an XML
document, the REXML parser in Ruby can be coerced into allocating extremely
large string objects which can consume all of the memory on a machine,
causing a denial of service (CVE-2014-8080).
The Mageia 3 ruby package has been updated to 1.9.3-p550 and the Mageia 4
ruby package has been updated to 2.0.0-p594 to fix this issue and several
other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=14391
- https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/
- https://www.ruby-lang.org/en/news/2014/10/27/ruby-1-9-3-p550-is-released/
- https://www.ruby-lang.org/en/news/2014/10/27/ruby-2-0-0-p594-is-released/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080
SRPMS
4/core
- ruby-2.0.0.p594-1.mga4
3/core
- ruby-1.9.3.p550-1.mga3