Multiple vulnerabilities were discovered in the interpreter for the Ruby language: CVE-2014-4975 The encodes() function in pack.c had an off-by-one error that could lead to a stack-based buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution. CVE-2014-8080, CVE-2014-8090 The REXML parser could be coerced into allocating large string objects that could consume all available memory on the system. This could allow remote attackers to cause a denial of service (crash).

For the stable distribution (wheezy), these problems have been fixed in version 1.9.3.194-8.1+deb7u3. For the upcoming stable distribution (jessie), these problems have been fixed in version 2.1.5-1 of the ruby2.1 source package. For the unstable distribution (sid), these problems have been fixed in version 2.1.5-1 of the ruby2.1 source package. We recommend that you upgrade your ruby1.9.1 packages.

Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in perl). It is simple, straight-forward, and extensible.

ruby1.9.1 on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2015/dsa-3157.html

---

Updated on 2015-03-25