Multiple vulnerabilities have been discovered in Ruby that allow for attacks including arbitrary code execution and Denial of Service.
|Package||dev-lang/ruby on all architectures|
|Affected versions||< 1.8.6_p287-r1|
|Unaffected versions||>= 1.8.6_p287-r1|
Ruby is an interpreted object-oriented programming language. The elaborate standard library includes an HTTP server ("WEBRick") and a class for XML parsing ("REXML").
Multiple vulnerabilities have been discovered in the Ruby interpreter and its standard libraries. Drew Yao of Apple Product Security discovered the following flaws:
Furthermore, several other vulnerabilities have been reported:
These vulnerabilities allow remote attackers to execute arbitrary code, spoof DNS responses, bypass Ruby's built-in security and taintness checks, and cause a Denial of Service via crash or CPU exhaustion.
There is no known workaround at this time.
All Ruby users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.6_p287-r1"