openSUSE Security Update: ruby19 to 1.9.3 p385 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0376-1 Rating: moderate References: #783511 #789983 #791199 #802406 Cross-References: CVE-2012-4464 CVE-2012-4466 CVE-2012-4522 CVE-2012-5371 CVE-2013-0256 Affected Products: openSUSE 12.2 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: ruby19 was updated to fix various bugs and security issues: Update to 1.9.3 p385 (bnc#802406) - XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) - for other changes see /usr/share/doc/packages/ruby19/Changelog Update to 1.9.3 p327 (bnc#789983) - CVE-2012-5371 and plenty of other fixes Update to 1.9.3 p286 (bnc#783511, bnc#791199) - This release includes some security fixes, and many other bug fixes. $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) - Unintentional file creation caused by inserting an illegal NUL character many other bug fixes. (CVE-2012-4522) Also following bugfixes and packaging fixes were done: - make sure the rdoc output is more stable for build-compare (new patch ruby-sort-rdoc-output.patch) - readd the private header *atomic.h - remove build depencency on ca certificates - only causing cycles - one more header needed for rubygem-ruby-debug-base19 - install vm_core.h and its dependencies as ruby-devel-extra - move the provides to the ruby package instead - add provides for the internal gems - restore the old ruby macros and the gem wrapper script - gem_install_wrapper no longer necessary Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-167 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): ruby19-1.9.3.p385-3.18.1 ruby19-debuginfo-1.9.3.p385-3.18.1 ruby19-debugsource-1.9.3.p385-3.18.1 ruby19-devel-1.9.3.p385-3.18.1 ruby19-devel-extra-1.9.3.p385-3.18.1 ruby19-tk-1.9.3.p385-3.18.1 ruby19-tk-debuginfo-1.9.3.p385-3.18.1 - openSUSE 12.2 (noarch): ruby19-doc-ri-1.9.3.p385-3.18.1 References: http://support.novell.com/security/cve/CVE-2012-4464.html http://support.novell.com/security/cve/CVE-2012-4466.html http://support.novell.com/security/cve/CVE-2012-4522.html http://support.novell.com/security/cve/CVE-2012-5371.html http://support.novell.com/security/cve/CVE-2013-0256.html https://bugzilla.novell.com/783511 https://bugzilla.novell.com/789983 https://bugzilla.novell.com/791199 https://bugzilla.novell.com/802406