On 06/03/10 at 15:47 -0500, Michael Gilbert wrote: > Package: ruby1.9 > Version: 1.9.0.5-1 > Severity: serious > Tags: security > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for ruby1.9. Note this was fixed in 1.9.1, and it isn't > really clear whether it affects 1.9. I can't find enough info to say > either way. Please check. > > CVE-2009-4124[0]: > | Heap-based buffer overflow in the rb_str_justify function in string.c > | in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to > | execute arbitrary code via unspecified vectors involving (1) > | String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of > | these details are obtained from third party information. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. > > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4124 > http://security-tracker.debian.org/tracker/CVE-2009-4124
Hi Michael, The version of ruby1.9 in lenny seems to be affected. Ruby1.9 is no longer available in unstable. I'm tempted to just ignore that bug (the patch from 1.9.1 doesn't apply to 1.9.0). Ruby 1.9 is a development branch of Ruby, I don't think that anybody uses it for anything serious. -- | Lucas Nussbaum | lu...@lucas-nussbaum.net http://www.lucas-nussbaum.net/ | | jabber: lu...@nussbaum.fr GPG: 1024D/023B3F4F | -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
