Advisories » MGASA-2015-0345

Updated ruby-RubyGems packages fix security vulnerabilities

Publication date: 08 Sep 2015
Modification date: 08 Sep 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-3900

Description

Updated ruby-RubyGems package fixes security vulnerability:

RubyGems does not validate the hostname when fetching gems or making API
request, which allows remote attackers to redirect requests to arbitrary
domains via a crafted DNS SRV record, aka a "DNS hijack attack"
(CVE-2015-3900).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=16218
• https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900

SRPMS

4/core

• ruby-RubyGems-2.1.11-3.1.mga4

5/core

• ruby-RubyGems-2.1.11-5.1.mga5