08 February 2013
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0017 A vulnerability has been identified in Ruby 8 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-0256 Member content until: Sunday, March 10 2013 OVERVIEW A vulnerability has been identified in Ruby prior to versions 1.9.3 p385, 2.0.0 rc2 or trunk revision 39102.  IMPACT The vendor has provided the following description regarding this vulnerability: "RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may lead to cookie disclosure to third parties."  MITIGATION Users should update to the latest version. REFERENCES  XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/  Ruby 1.9.3-p385 is released http://www.ruby-lang.org/en/news/2013/02/06/ruby-1-9-3-p385-is-released/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBURSREO4yVqjM2NGpAQKiwQ/+PdJFkkhTNLBnHbBWIzc0N2j8V69EwLIx hKhaf7WlOUadsbgOwR/ph7QO4gDqSZhW5z0Q7smvr9jqtUnHymxBcFevK1b1sCXx /lAXN3al6KXZS6MdMxrtq8nyzFoy5ivlRsXysfVy/K71ANRLKADuazKxzct2k9PT Teh4luUVUuqEGUJocQzPKI4cOsatSW0fQq2uP34dYh5ULy8+zi/FEWBLVazFrjnv gQtNPLdl+zYua3khWmMwZmqFt9L22lvhEovqbk6WvyEjbBIfJkEog4v/H5vIEqQs Oe+D4gtLT3yvmYuPI+lGk59MNGk2J4SxciB7YWspm/McscvnhPpgOn2w/+Wb2w3o WdHtuW63lm4btY3GQqV6j6DDjqB8iiIomm3XQ4T/pGBXWl8jwM0wr0Tv4nB61nf6 J9MgibRs9so/MwS6TR/0u+2o1013oIv6nc9B+rO1VMf15d6ZSK7HwxTJlmphtyGz drm9JzxSmyJ0WvSxfiJZArcm26yBq074+Qx2mQpoU+I1xIWKooHhIN0es0j464gv nb+h9MERe+FC+NmkI2448UypcMAVbdtnVIo/21bKAzeEMESvSQN1oPm1iFZPzWRK BiZZNXD5zyEUF2OQXpX/kgv9Uc+bRqOT8yKPgc3g+eTFyJz/zOM59TZh3EKJFOXC YJa2zPsAqM0= =VFYa -----END PGP SIGNATURE-----