Detections
Analytics

CentOS 5 / 6 : ruby (CESA-2013:1090)

medium Nessus Plugin ID 68941

Language:

Synopsis

The remote CentOS host is missing one or more security updates.

Description

Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts.
(CVE-2013-4073)

All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve this issue.

Solution

Update the affected ruby packages.

See Also

http://www.nessus.org/u?406092e7

http://www.nessus.org/u?e90fc49e

Plugin Details

Severity: Medium

ID: 68941

File Name: centos_RHSA-2013-1090.nasl

Version: 1.14

Type: local

Agent: unix

Published: 7/18/2013

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2013-4073

Vulnerability Information

CPE: p-cpe:/a:centos:centos:ruby-devel, p-cpe:/a:centos:centos:ruby-libs, p-cpe:/a:centos:centos:ruby-rdoc, cpe:/o:centos:centos:6, p-cpe:/a:centos:centos:ruby-static, p-cpe:/a:centos:centos:ruby-docs, p-cpe:/a:centos:centos:ruby-irb, p-cpe:/a:centos:centos:ruby-ri, cpe:/o:centos:centos:5, p-cpe:/a:centos:centos:ruby-tcltk, p-cpe:/a:centos:centos:ruby, p-cpe:/a:centos:centos:ruby-mode

Required KB Items: Host/local_checks_enabled, Host/CentOS/release, Host/CentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/17/2013

Vulnerability Publication Date: 8/18/2013

Reference Information

CVE: CVE-2013-4073

BID: 60843

RHSA: 2013:1090