blob: baed01a1fbc68174051820ec6c50c69ed385107b [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200507-10">
<title>Ruby: Arbitrary command execution through XML-RPC</title>
A vulnerability in XMLRPC.iPIMethods allows remote attackers to execute
arbitrary commands.
<product type="ebuild">ruby</product>
<announced>July 11, 2005</announced>
<revised>July 11, 2005: 01</revised>
<package name="dev-lang/ruby" auto="yes" arch="*">
<unaffected range="ge">1.8.2-r2</unaffected>
<vulnerable range="lt">1.8.2-r2</vulnerable>
Ruby is an interpreted scripting language for quick and easy
object-oriented programming. XML-RPC is a remote procedure call
protocol encoded in XML.
Nobuhiro IMAI reported that an invalid default value in "utils.rb"
causes the security protections of the XML-RPC server to fail.
<impact type="high">
A remote attacker could exploit this vulnerability to execute
arbitrary commands.
There is no known workaround at this time.
All Ruby users should upgrade to the latest available version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-lang/ruby-1.8.2-r2&quot;</code>
<uri link="">CAN-2005-1992</uri>
<uri link="">Ruby Security Announcement</uri>
<metadata tag="requester" timestamp="Sat, 09 Jul 2005 18:51:00 +0000">
<metadata tag="submitter" timestamp="Sat, 09 Jul 2005 19:20:33 +0000">
<metadata tag="bugReady" timestamp="Mon, 11 Jul 2005 12:47:35 +0000">