Secure testing team - Aug 2008 - Bug#494401: ruby1.8: New release (1.8.7-p71) with vulnerabilities fixes

Package: ruby1.8
Version: 1.8.7.22-2
Severity: grave
Tags: security

A new version (1.8.7-p71) has been released and fixed multiple
vulnerabilities[1].

* Several vulnerabilities in safe level
* DoS vulnerability in WEBrick
* Lack of taintness check in dl
* DNS spoofing vulnerability in resolv.rb (CVE-2008-1447[2])

The following pacakges in Debian are affected:

  * ruby1.8
    - unstable: 1.8.7.22-3
    - testing:  1.8.7.22-2
    - stable:   1.8.5-4etch2

[1]
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

Regards,
Daigo

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, ''testing''), (500,
''stable''), (90, ''unstable''), (1,
''experimental'')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP (charmap=EUC-JP)
Shell: /bin/sh linked to /bin/bash

Versions of packages ruby1.8 depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libruby1.8                    1.8.7.22-2 Libraries necessary to run Ruby 1.

ruby1.8 recommends no packages.

Versions of packages ruby1.8 suggests:
ii  rdoc1.8                       1.8.7.22-2 Generate documentation from Ruby s
ii  ri1.8                         1.8.7.22-2 Ruby Interactive reference (for Ru
ii  ruby1.8-examples              1.8.7.22-2 Examples for Ruby 1.8

-- no debconf information