ESB-2018.3629 - [UNIX/Linux][Debian] ruby-i18n: Denial of service - Remote/unauthenticated 2018-11-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3629
                  [DLA 1584-1] ruby-i18n security update
                             22 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby-i18n
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-10077  

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/11/msg00021.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running ruby-i18n check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : ruby-i18n
Version        : 0.6.9-2+deb8u1
CVE ID         : CVE-2014-10077
Debian Bug     : #913093

It was discovered that there was a remote denial-of-service vulnerability
in ruby-i18n, a I18n and localization solution for Ruby.

An application crash could be engineering a situation where `:some_key` is
present in the `keep_keys` structure but not present in the hash.

For Debian 8 "Jessie", this issue has been fixed in ruby-i18n version
0.6.9-2+deb8u1.

We recommend that you upgrade your ruby-i18n packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlv1JIIACgkQHpU+J9Qx
HlgpiQ/+J7IlWMZcUr00qRKpShdJviGrhcYow4a7chQ5wKGIn4x/KnOfy/B9f3Zh
JAYtfFpMmPZIfvybrKAKABqz+kaKQ4h5jOE6iAT7qKLK3m671M/reMX3O5NU/n4c
XjWxmXB8IC1KyyX1bFSckS8cDXqSdkuTTcSIOi1TMjbhJ9kVVo78i7PHIjqtYlNY
Q5yFA5Mx6hdGEgK0XZ1nStr2o+FuI/NVcB7+ZyxigzPgoJYbBUf/LXA8m9lrFiL/
WDLMO+P5KlwIgY1Gwvh3T1Z0oVnd7llHOoo+wHevD8rn3o15/YHInJIod2mAgdOB
oEMxIG04dI/pWeTP2ktuA8Wa+RmcWGXUBSGpR6dcB4S+w9M4BLadjMwFIXo93MaD
h2zH+pH86YyamradQ7adF008wZHLyeWUvnFskjzBElnfSQ1vWr/m91kPgs2bVSLK
wkq0zRY77drOKGufVW0o1v9YPEjbqcgAKk8xf56uc202pCAfa5Uo2TtTSu+mlwKl
J8UNR2iI2xUlsa7T23eQRnUNaAeO7WxJFgZONa9pXiM1+NdpDUfbfFpnkuTYYoy7
YvyvvWIJ4RcgZksLrpz0Z2YdW+8J2mSGXMdJFD7xd9xHRmu8HGjVU12s9nVf1YI9
MfBCfgBEDlHt7L20UYTxi1Jv7Dw6dr+NtBJFYNJiWuG7gHbZ4lI=
=L1yK
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIUAwUBW/X1GGaOgq3Tt24GAQi2zw/4tHUzfe0yEFlNBjVNNJX0VGbIQytBQYdo
MnagpQpV9NFG40Mb74MtW5NpQ73uPmqfjv0R63l4WtktykYKi1SgmCt/jApDPkZ4
+KtbvA7VdJnQDqxKuMAt4SI89CG3hQl8htFFh6fNrEz3+mDSpTJv/SfwkS3tdWQt
7eGrUgHioIXcqOVvHObkRQ/ZqqdU0oMkDSfilP7P54n9FvtIOik6HZZNzZCs0veo
kI5tnce8Bnsx8gb4kTgcQUUb54xH650w4glXTVsmVJXmQ9IFDQAwswmt9J+UsV+Z
Adx6wYK2m2HDvJ1V01k6cRnccedOsDQem+zgwgNq5lT75c+/GLL51VQugOJ3Uya4
m6OTv7MxkzaO06mndA1pX8dbdGZCxFts6uyS3M8nY8e7zUBuOZsMZesfm33Vdgfv
9xhy/+7DTqf/YXD7gqLQkyV58TGRyVSva81Fn2UF9KLlfCEQ1Yk5ux4NHFJem53P
Lm6yMkJx7dtwH3pMxXze6xSK/3WQKA51DAthQBGa96bTjIh05Cecv+oHF7XTAbik
2cGhlanzgNITVo1qBU1NwqesaxXDvGbAPaV5p6FN4ZXBaIrmiEKHQjuNlyXnLXba
49SykFO13KW73U7hS1Rlep1qZtn2rsbrEf+LjKECQQKwO0rPyRs4bs3ri0vKNOJN
mrx1EBUMsg==
=oAqV
-----END PGP SIGNATURE-----

« Back to bulletins