Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0017
A vulnerability has been identified in Ruby
8 February 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Ruby
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0256
Member content until: Sunday, March 10 2013
OVERVIEW
A vulnerability has been identified in Ruby prior to versions 1.9.3
p385, 2.0.0 rc2 or trunk revision 39102. [1]
IMPACT
The vendor has provided the following description regarding this
vulnerability:
"RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and
prereleases up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS
exploit. This exploit may lead to cookie disclosure to third parties."
[1]
MITIGATION
Users should update to the latest version.[2]
REFERENCES
[1] XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256)
http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/
[2] Ruby 1.9.3-p385 is released
http://www.ruby-lang.org/en/news/2013/02/06/ruby-1-9-3-p385-is-released/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBURSREO4yVqjM2NGpAQKiwQ/+PdJFkkhTNLBnHbBWIzc0N2j8V69EwLIx
hKhaf7WlOUadsbgOwR/ph7QO4gDqSZhW5z0Q7smvr9jqtUnHymxBcFevK1b1sCXx
/lAXN3al6KXZS6MdMxrtq8nyzFoy5ivlRsXysfVy/K71ANRLKADuazKxzct2k9PT
Teh4luUVUuqEGUJocQzPKI4cOsatSW0fQq2uP34dYh5ULy8+zi/FEWBLVazFrjnv
gQtNPLdl+zYua3khWmMwZmqFt9L22lvhEovqbk6WvyEjbBIfJkEog4v/H5vIEqQs
Oe+D4gtLT3yvmYuPI+lGk59MNGk2J4SxciB7YWspm/McscvnhPpgOn2w/+Wb2w3o
WdHtuW63lm4btY3GQqV6j6DDjqB8iiIomm3XQ4T/pGBXWl8jwM0wr0Tv4nB61nf6
J9MgibRs9so/MwS6TR/0u+2o1013oIv6nc9B+rO1VMf15d6ZSK7HwxTJlmphtyGz
drm9JzxSmyJ0WvSxfiJZArcm26yBq074+Qx2mQpoU+I1xIWKooHhIN0es0j464gv
nb+h9MERe+FC+NmkI2448UypcMAVbdtnVIo/21bKAzeEMESvSQN1oPm1iFZPzWRK
BiZZNXD5zyEUF2OQXpX/kgv9Uc+bRqOT8yKPgc3g+eTFyJz/zOM59TZh3EKJFOXC
YJa2zPsAqM0=
=VFYa
-----END PGP SIGNATURE-----