Security update for Ruby 1.9

SUSE Security Update: Security update for Ruby 1.9
Announcement ID: SUSE-SU-2013:0647-1
Rating: important
References: #783511 #789983 #791199 #796757 #802406 #803342
Affected Products:
  • SUSE Studio Onsite 1.3

  • An update that solves one vulnerability and has 5 fixes is now available.


    The Ruby script interpreter 1.9 has been updated to 1.9.3
    p392 fixing various bugs and security issues:

    This release includes security fixes about bundled JSON and

    * Denial of Service and Unsafe Object Creation
    Vulnerability in JSON (CVE-2013-0269)
    * Entity expansion DoS vulnerability in REXML (XML bomb)
    * XSS exploit of RDoc documentation generated by rdoc

    And some small bugfixes are also included see
    /usr/share/doc/packages/ruby19/Changelog for more details

    Also the following bugfix was added:

    * added bind_stack.patch: (bnc#796757) Fixes stack
    boundary issues when embedding Ruby into threaded C code
    (Ruby bug #229)

    Security Issue reference:

    * CVE-2013-0269

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Studio Onsite 1.3:
      zypper in -t patch slestso13-ruby19-7496

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Studio Onsite 1.3 (x86_64):
    • ruby19-1.9.3.p392-0.7.1
    • ruby19-devel-1.9.3.p392-0.7.1
    • ruby19-devel-extra-1.9.3.p392-0.7.1