Bug 36993

Summary: ruby1.9.1: Multiple issues (4.0)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Daniel Tröder <troeder>
Status: CLOSED FIXED QA Contact: Stefan Gohmann <gohmann>
Severity: normal    
Priority: P4 CC: gohmann, requate, walkenhorst
Version: UCS 4.0Flags: requate: Patch_Available+
Target Milestone: UCS 4.0-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Moritz Muehlenhoff univentionstaff 2014-11-25 11:21:26 CET 
Object taint bypassing in DL and Fiddle (CVE-2013-2065) 
Denial of service in the encodes() function (CVE-2014-4975)
Denial of service through unrestricted XML entity expansion (CVE-2014-8080, CVE-2014-8090)
Comment 1 Arvid Requate univentionstaff 2015-05-04 13:01:07 CEST 
Man-in-the-middle attack via crafted SSL certificates (CVE-2015-1855)
Comment 2 Arvid Requate univentionstaff 2015-05-04 13:03:18 CEST 
Fix available in upstream Debian version 1.9.3.194-8.1+deb7u5
Comment 3 Daniel Tröder univentionstaff 2015-09-02 17:26:11 CEST 
* ruby1.9.1 1.9.3.194-8.1+deb7u5 was imported and build to scope errata4.0-3.
* Drop test patch (4.0-0-0-ucs/1.9.3.194-8.1+deb7u5-errata4.0-3/drop-test.patch) was updated.
* r15230, r15232 and 15233 add a new patch (4.0-0-0-ucs/1.9.3.194-8.1+deb7u5-errata4.0-3/020-raise-test-dh-size.patch) to make openssl tests work.
* YAML (r63405, r63409): 2015-09-02-ruby1.9.1.yaml

2013-2065: oldstable: not vulnerable
Comment 4 Stefan Gohmann univentionstaff 2015-09-08 15:32:47 CEST 
YAML: OK

ruby tests: OK

Redmine tested: OK
Comment 5 Janek Walkenhorst univentionstaff 2015-09-09 15:17:44 CEST 
<http://errata.software-univention.de/ucs/4.0/313.html>