Advisories ยป MGASA-2014-0443

Updated ruby packages fix CVE-2014-8080

Publication date: 14 Nov 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-8080


Updated ruby packages fix security vulnerability:

Due to unrestricted entity expansion, when reading text nodes from an XML
document, the REXML parser in Ruby can be coerced into allocating extremely
large string objects which can consume all of the memory on a machine,
causing a denial of service (CVE-2014-8080).

The Mageia 3 ruby package has been updated to 1.9.3-p550 and the Mageia 4
ruby package has been updated to 2.0.0-p594 to fix this issue and several
other bugs.