Advisories ยป MGASA-2015-0345

Updated ruby-RubyGems packages fix security vulnerabilities

Publication date: 08 Sep 2015
Modification date: 08 Sep 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-3900

Description

Updated ruby-RubyGems package fixes security vulnerability:

RubyGems does not validate the hostname when fetching gems or making API
request, which allows remote attackers to redirect requests to arbitrary
domains via a crafted DNS SRV record, aka a "DNS hijack attack"
(CVE-2015-3900).
                

References

SRPMS

4/core

5/core