FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-3655

This CVE name corresponds to:

Entered	Topic
2008-08-16	ruby -- DoS vulnerability in WEBrick
2008-08-16	ruby -- multiple vulnerabilities in safe level

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2008-3655 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2008-3655
Phase	Assigned(20080812)

Description

Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3.

References

Source	Reference
BUGTRAQ	20080831 rPSA-2008-0264-1 ruby
CONFIRM	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401
CONFIRM	http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
CONFIRM	http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0264
CONFIRM	http://support.avaya.com/elmodocs2/security/ASA-2008-424.htm
CONFIRM	http://support.apple.com/kb/HT3549
APPLE	APPLE-SA-2009-05-12
DEBIAN	DSA-1651
DEBIAN	DSA-1652
FEDORA	FEDORA-2008-8736
FEDORA	FEDORA-2008-8738
GENTOO	GLSA-200812-17
REDHAT	RHSA-2008:0895
REDHAT	RHSA-2008:0897
UBUNTU	USN-651-1
CERT	TA09-133A
BID	30644
OVAL	oval:org.mitre.oval:def:11602
SECUNIA	35074
VUPEN	ADV-2008-2334
SECTRACK	1020656
SECUNIA	31697
SECUNIA	32255
SECUNIA	32256
SECUNIA	33178
SECUNIA	31430
SECUNIA	32165
SECUNIA	32219
SECUNIA	32371
SECUNIA	32372
VUPEN	ADV-2009-1297
XF	ruby-safelevel-security-bypass(44369)