Vulnerabilities > CVE-2014-8080 - XML External Entity Denial of Service vulnerability in Ruby

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
opensuse
canonical
ruby-lang
redhat
nessus

Summary

The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. <a href="http://cwe.mitre.org/data/definitions/611.html" target="_blank">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1912.NASL
    descriptionUpdated ruby packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. (CVE-2014-8080, CVE-2014-8090) A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash. (CVE-2014-4975) The CVE-2014-8090 issue was discovered by Red Hat Product Security. All ruby users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Ruby need to be restarted for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id79596
    published2014-11-27
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79596
    titleRHEL 7 : ruby (RHSA-2014:1912)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2014:1912. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79596);
      script_version("1.17");
      script_cvs_date("Date: 2019/10/24 15:35:39");
    
      script_cve_id("CVE-2014-4975", "CVE-2014-8080", "CVE-2014-8090");
      script_bugtraq_id(68474, 70935, 71230);
      script_xref(name:"RHSA", value:"2014:1912");
    
      script_name(english:"RHEL 7 : ruby (RHSA-2014:1912)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated ruby packages that fix three security issues are now available
    for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having Moderate
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    Ruby is an extensible, interpreted, object-oriented, scripting
    language. It has features to process text files and to perform system
    management tasks.
    
    Multiple denial of service flaws were found in the way the Ruby REXML
    XML parser performed expansion of parameter entities. A specially
    crafted XML document could cause REXML to use an excessive amount of
    CPU and memory. (CVE-2014-8080, CVE-2014-8090)
    
    A stack-based buffer overflow was found in the implementation of the
    Ruby Array pack() method. When performing base64 encoding, a single
    byte could be written past the end of the buffer, possibly causing
    Ruby to crash. (CVE-2014-4975)
    
    The CVE-2014-8090 issue was discovered by Red Hat Product Security.
    
    All ruby users are advised to upgrade to these updated packages, which
    contain backported patches to correct these issues. All running
    instances of Ruby need to be restarted for this update to take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2014:1912"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-8080"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-4975"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-8090"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-irb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby-tcltk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-bigdecimal");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-io-console");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-json");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-minitest");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-psych");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-rake");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-rdoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygems");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygems-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/11/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2014:1912";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"ruby-2.0.0.353-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ruby-2.0.0.353-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"ruby-debuginfo-2.0.0.353-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"ruby-devel-2.0.0.353-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ruby-devel-2.0.0.353-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"ruby-doc-2.0.0.353-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"ruby-irb-2.0.0.353-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"ruby-libs-2.0.0.353-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"ruby-tcltk-2.0.0.353-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ruby-tcltk-2.0.0.353-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"rubygem-bigdecimal-1.2.0-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"rubygem-bigdecimal-1.2.0-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"rubygem-io-console-0.4.2-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"rubygem-io-console-0.4.2-22.el7_0")) flag++;
    
      if (rpm_exists(rpm:"rubygem-json-1.7", release:"RHEL7") && rpm_check(release:"RHEL7", cpu:"s390x", reference:"rubygem-json-1.7.7-22.el7_0")) flag++;
    
      if (rpm_exists(rpm:"rubygem-json-1.7", release:"RHEL7") && rpm_check(release:"RHEL7", cpu:"x86_64", reference:"rubygem-json-1.7.7-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"rubygem-minitest-4.3.2-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"rubygem-psych-2.0.0-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"rubygem-psych-2.0.0-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"rubygem-rake-0.9.6-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"rubygem-rdoc-4.0.0-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"rubygems-2.0.14-22.el7_0")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"rubygems-devel-2.0.14-22.el7_0")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby / ruby-debuginfo / ruby-devel / ruby-doc / ruby-irb / etc");
      }
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2014-449.NASL
    descriptionThe upstream patch for CVE-2014-8080 introduced checks against the REXML.entity_expansion_text_limit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entity_expansion_limit. As a consequence, even with the patch applied, a small XML document could cause REXML to use an excessive amount of CPU time. High memory usage can be achieved using larger inputs.
    last seen2020-06-01
    modified2020-06-02
    plugin id79298
    published2014-11-18
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79298
    titleAmazon Linux AMI : ruby21 (ALAS-2014-449)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2014-449.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79298);
      script_version("1.6");
      script_cvs_date("Date: 2018/04/18 15:09:35");
    
      script_cve_id("CVE-2014-8090");
      script_xref(name:"ALAS", value:"2014-449");
    
      script_name(english:"Amazon Linux AMI : ruby21 (ALAS-2014-449)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The upstream patch for CVE-2014-8080 introduced checks against the
    REXML.entity_expansion_text_limit, but did not add restrictions to
    limit the number of expansions performed, i.e. checks against the
    REXML::Document.entity_expansion_limit. As a consequence, even with
    the patch applied, a small XML document could cause REXML to use an
    excessive amount of CPU time. High memory usage can be achieved using
    larger inputs."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2014-449.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update ruby21' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21-irb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem21-bigdecimal");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem21-io-console");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem21-psych");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygems21");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygems21-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/11/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"ruby21-2.1.5-1.15.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ruby21-debuginfo-2.1.5-1.15.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ruby21-devel-2.1.5-1.15.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ruby21-doc-2.1.5-1.15.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ruby21-irb-2.1.5-1.15.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ruby21-libs-2.1.5-1.15.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"rubygem21-bigdecimal-1.2.4-1.15.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"rubygem21-io-console-0.4.2-1.15.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"rubygem21-psych-2.0.5-1.15.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"rubygems21-2.2.2-1.15.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"rubygems21-devel-2.2.2-1.15.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby21 / ruby21-debuginfo / ruby21-devel / ruby21-doc / ruby21-irb / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-1911.NASL
    descriptionFrom Red Hat Security Advisory 2014:1911 : Updated ruby packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. (CVE-2014-8080, CVE-2014-8090) The CVE-2014-8090 issue was discovered by Red Hat Product Security. All ruby users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Ruby need to be restarted for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id79593
    published2014-11-27
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79593
    titleOracle Linux 6 : ruby (ELSA-2014-1911)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2014:1911 and 
    # Oracle Linux Security Advisory ELSA-2014-1911 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79593);
      script_version("1.11");
      script_cvs_date("Date: 2019/09/30 10:58:19");
    
      script_cve_id("CVE-2014-8080", "CVE-2014-8090");
      script_bugtraq_id(70935, 71230);
      script_xref(name:"RHSA", value:"2014:1911");
    
      script_name(english:"Oracle Linux 6 : ruby (ELSA-2014-1911)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2014:1911 :
    
    Updated ruby packages that fix two security issues are now available
    for Red Hat Enterprise Linux 6.
    
    Red Hat Product Security has rated this update as having Moderate
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    Ruby is an extensible, interpreted, object-oriented, scripting
    language. It has features to process text files and to perform system
    management tasks.
    
    Multiple denial of service flaws were found in the way the Ruby REXML
    XML parser performed expansion of parameter entities. A specially
    crafted XML document could cause REXML to use an excessive amount of
    CPU and memory. (CVE-2014-8080, CVE-2014-8090)
    
    The CVE-2014-8090 issue was discovered by Red Hat Product Security.
    
    All ruby users are advised to upgrade to these updated packages, which
    contain backported patches to correct these issues. All running
    instances of Ruby need to be restarted for this update to take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2014-November/004673.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected ruby packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-docs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-irb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-rdoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-ri");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-tcltk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/11/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"ruby-1.8.7.374-3.el6_6")) flag++;
    if (rpm_check(release:"EL6", reference:"ruby-devel-1.8.7.374-3.el6_6")) flag++;
    if (rpm_check(release:"EL6", reference:"ruby-docs-1.8.7.374-3.el6_6")) flag++;
    if (rpm_check(release:"EL6", reference:"ruby-irb-1.8.7.374-3.el6_6")) flag++;
    if (rpm_check(release:"EL6", reference:"ruby-libs-1.8.7.374-3.el6_6")) flag++;
    if (rpm_check(release:"EL6", reference:"ruby-rdoc-1.8.7.374-3.el6_6")) flag++;
    if (rpm_check(release:"EL6", reference:"ruby-ri-1.8.7.374-3.el6_6")) flag++;
    if (rpm_check(release:"EL6", reference:"ruby-static-1.8.7.374-3.el6_6")) flag++;
    if (rpm_check(release:"EL6", reference:"ruby-tcltk-1.8.7.374-3.el6_6")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby / ruby-devel / ruby-docs / ruby-irb / ruby-libs / ruby-rdoc / etc");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2014-441.NASL
    descriptionThe REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.
    last seen2020-06-01
    modified2020-06-02
    plugin id78874
    published2014-11-06
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78874
    titleAmazon Linux AMI : ruby20 (ALAS-2014-441)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2014-441.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(78874);
      script_version("1.5");
      script_cvs_date("Date: 2018/04/18 15:09:35");
    
      script_cve_id("CVE-2014-8080");
      script_xref(name:"ALAS", value:"2014-441");
    
      script_name(english:"Amazon Linux AMI : ruby20 (ALAS-2014-441)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before
    2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a
    denial of service (memory consumption) via a crafted XML document, aka
    an XML Entity Expansion (XEE) attack."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2014-441.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update ruby20' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20-irb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem20-bigdecimal");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem20-io-console");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem20-psych");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygems20");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygems20-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/11/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"ruby20-2.0.0.594-1.19.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ruby20-debuginfo-2.0.0.594-1.19.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ruby20-devel-2.0.0.594-1.19.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ruby20-doc-2.0.0.594-1.19.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ruby20-irb-2.0.0.594-1.19.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ruby20-libs-2.0.0.594-1.19.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"rubygem20-bigdecimal-1.2.0-1.19.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"rubygem20-io-console-0.4.2-1.19.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"rubygem20-psych-2.0.0-1.19.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"rubygems20-2.0.14-1.19.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"rubygems20-devel-2.0.14-1.19.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby20 / ruby20-debuginfo / ruby20-devel / ruby20-doc / ruby20-irb / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1374.NASL
    descriptionAccording to the versions of the ruby packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.i1/4^CVE-2014-8080i1/4%0 - The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.i1/4^CVE-2014-8090i1/4%0 - Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow.(CVE-2014-4975) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-10
    modified2018-11-21
    plugin id119065
    published2018-11-21
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119065
    titleEulerOS Virtualization 2.5.1 : ruby (EulerOS-SA-2018-1374)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119065);
      script_version("1.34");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/21");
    
      script_cve_id(
        "CVE-2014-4975",
        "CVE-2014-8080",
        "CVE-2014-8090"
      );
      script_bugtraq_id(
        68474,
        70935,
        71230
      );
    
      script_name(english:"EulerOS Virtualization 2.5.1 : ruby (EulerOS-SA-2018-1374)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the ruby packages installed, the EulerOS
    Virtualization installation on the remote host is affected by the
    following vulnerabilities :
    
      - The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x
        before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote
        attackers to cause a denial of service (memory
        consumption) via a crafted XML document, aka an XML
        Entity Expansion (XEE) attack.i1/4^CVE-2014-8080i1/4%0
    
      - The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel
        551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x
        before 2.1.5 allows remote attackers to cause a denial
        of service (CPU and memory consumption) a crafted XML
        document containing an empty string in an entity that
        is used in a large number of nested entity references,
        aka an XML Entity Expansion (XEE) attack. NOTE: this
        vulnerability exists because of an incomplete fix for
        CVE-2013-1821 and CVE-2014-8080.i1/4^CVE-2014-8090i1/4%0
    
      - Off-by-one error in the encodes function in pack.c in
        Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when
        using certain format string specifiers, allows
        context-dependent attackers to cause a denial of
        service (segmentation fault) via vectors that trigger a
        stack-based buffer overflow.(CVE-2014-4975)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1374
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?688a1521");
      script_set_attribute(attribute:"solution", value:
    "Update the affected ruby packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby-irb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-bigdecimal");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-io-console");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-json");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-psych");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-rdoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygems");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.5.1");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "2.5.1") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.5.1");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["ruby-2.0.0.353-23.h9",
            "ruby-irb-2.0.0.353-23.h9",
            "ruby-libs-2.0.0.353-23.h9",
            "rubygem-bigdecimal-1.2.0-23.h9",
            "rubygem-io-console-0.4.2-23.h9",
            "rubygem-json-1.7.7-23.h9",
            "rubygem-psych-2.0.0-23.h9",
            "rubygem-rdoc-4.0.0-23.h9",
            "rubygems-2.0.14-23.h9"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2397-1.NASL
    descriptionWill Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. (CVE-2014-4975) Willis Vandevanter discovered that Ruby incorrectly handled XML entity expansion. An attacker could use this flaw to cause Ruby to consume large amounts of resources, resulting in a denial of service. (CVE-2014-8080). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id78869
    published2014-11-05
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78869
    titleUbuntu 12.04 LTS / 14.04 LTS / 14.10 : ruby1.8, ruby1.9.1, ruby2.0, ruby2.1 vulnerabilities (USN-2397-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1428.NASL
    descriptionAccording to the versions of the ruby packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.(CVE-2012-4466) - The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.(CVE-2014-8090) - Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.(CVE-2013-4287) - The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.(CVE-2014-8080) - The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a
    last seen2020-03-17
    modified2019-05-14
    plugin id124931
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124931
    titleEulerOS Virtualization 3.0.1.0 : ruby (EulerOS-SA-2019-1428)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2014-1911.NASL
    descriptionUpdated ruby packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. (CVE-2014-8080, CVE-2014-8090) The CVE-2014-8090 issue was discovered by Red Hat Product Security. All ruby users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Ruby need to be restarted for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id79642
    published2014-12-02
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79642
    titleCentOS 6 : ruby (CESA-2014:1911)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_11.NASL
    descriptionThe remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id86270
    published2015-10-05
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86270
    titleMac OS X < 10.11 Multiple Vulnerabilities (GHOST)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2014-439.NASL
    descriptionThe REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.
    last seen2020-06-01
    modified2020-06-02
    plugin id78872
    published2014-11-06
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78872
    titleAmazon Linux AMI : ruby21 (ALAS-2014-439)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-1.NASL
    descriptionThis ruby update fixes the following two security issues : - bnc#902851: fix CVE-2014-8080: Denial Of Service XML Expansion - bnc#905326: fix CVE-2014-8090: Another Denial Of Service XML Expansion - Enable tests to run during the build. This way we can compare the results on different builds.
    last seen2020-06-05
    modified2015-01-05
    plugin id80353
    published2015-01-05
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80353
    titleopenSUSE Security Update : ruby20 (openSUSE-SU-2015:0002-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2014-447.NASL
    descriptionThe upstream patch for CVE-2014-8080 introduced checks against the REXML.entity_expansion_text_limit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entity_expansion_limit. As a consequence, even with the patch applied, a small XML document could cause REXML to use an excessive amount of CPU time. High memory usage can be achieved using larger inputs.
    last seen2020-06-01
    modified2020-06-02
    plugin id79296
    published2014-11-18
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79296
    titleAmazon Linux AMI : ruby19 (ALAS-2014-447)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2014-1912.NASL
    descriptionUpdated ruby packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. (CVE-2014-8080, CVE-2014-8090) A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash. (CVE-2014-4975) The CVE-2014-8090 issue was discovered by Red Hat Product Security. All ruby users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Ruby need to be restarted for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id79643
    published2014-12-02
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79643
    titleCentOS 7 : ruby (CESA-2014:1912)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-129.NASL
    descriptionUpdated ruby packages fix security vulnerabilities : Due to unrestricted entity expansion, when reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service (CVE-2014-8080). Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service (CVE-2014-4975). Due to an incomplete fix for CVE-2014-8080, 100% CPU utilization can occur as a result of recursive expansion with an empty String. When reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service (CVE-2014-8090).
    last seen2020-06-01
    modified2020-06-02
    plugin id82382
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82382
    titleMandriva Linux Security Advisory : ruby (MDVSA-2015:129)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-758.NASL
    descriptionruby19 was updated to fix two security issues. These security issues were fixed : - Denial Of Service XML Expansion (CVE-2014-8080). - Denial Of Service XML Expansion (CVE-2014-8090). Note: These are two separate issues.
    last seen2020-06-05
    modified2014-12-09
    plugin id79820
    published2014-12-09
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79820
    titleopenSUSE Security Update : ruby19 (openSUSE-SU-2014:1589-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3157.NASL
    descriptionMultiple vulnerabilities were discovered in the interpreter for the Ruby language : - CVE-2014-4975 The encodes() function in pack.c had an off-by-one error that could lead to a stack-based buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution. - CVE-2014-8080, CVE-2014-8090 The REXML parser could be coerced into allocating large string objects that could consume all available memory on the system. This could allow remote attackers to cause a denial of service (crash).
    last seen2020-03-17
    modified2015-02-10
    plugin id81250
    published2015-02-10
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81250
    titleDebian DSA-3157-1 : ruby1.9.1 - security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3159.NASL
    descriptionIt was discovered that the REXML parser, part of the interpreter for the Ruby language, could be coerced into allocating large string objects that could consume all available memory on the system. This could allow remote attackers to cause a denial of service (crash).
    last seen2020-03-17
    modified2015-02-11
    plugin id81279
    published2015-02-11
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81279
    titleDebian DSA-3159-1 : ruby1.8 - security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-1912.NASL
    descriptionFrom Red Hat Security Advisory 2014:1912 : Updated ruby packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. (CVE-2014-8080, CVE-2014-8090) A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash. (CVE-2014-4975) The CVE-2014-8090 issue was discovered by Red Hat Product Security. All ruby users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Ruby need to be restarted for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id79594
    published2014-11-27
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79594
    titleOracle Linux 7 : ruby (ELSA-2014-1912)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-14096.NASL
    descriptionUpdate to Ruby 2.1.4. Include only vendor directories, not their content (rhbz#1114071). Fix
    last seen2020-03-17
    modified2014-11-11
    plugin id79092
    published2014-11-11
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79092
    titleFedora 21 : ruby-2.1.4-24.fc21 (2014-14096)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-6.NASL
    descriptionThe following issues were fixed in this update : - CVE-2014-8090: Denial Of Service XML Expansion (bnc#905326) - CVE-2014-8080: Denial Of Service XML Expansion (bnc#902851)
    last seen2020-06-05
    modified2015-01-05
    plugin id80356
    published2015-01-05
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80356
    titleopenSUSE Security Update : ruby2.1 (openSUSE-SU-2015:0007-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201412-27.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201412-27 (Ruby: Denial of Service) Multiple vulnerabilities have been discovered in Ruby. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or bypass security restrictions. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id79980
    published2014-12-15
    reporterThis script is Copyright (C) 2014-2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79980
    titleGLSA-201412-27 : Ruby: Denial of Service
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1911.NASL
    descriptionUpdated ruby packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. (CVE-2014-8080, CVE-2014-8090) The CVE-2014-8090 issue was discovered by Red Hat Product Security. All ruby users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Ruby need to be restarted for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id79595
    published2014-11-27
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79595
    titleRHEL 6 : ruby (RHSA-2014:1911)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2014-225.NASL
    descriptionUpdated ruby packages fix security vulnerabilities : Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service (CVE-2014-4975). Due to an incomplete fix for CVE-2014-8080, 100% CPU utilization can occur as a result of recursive expansion with an empty String. When reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service (CVE-2014-8090). Additionally ruby has been upgraded to patch level 374.
    last seen2020-06-01
    modified2020-06-02
    plugin id79571
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79571
    titleMandriva Linux Security Advisory : ruby (MDVSA-2014:225)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-88.NASL
    descriptionThis update fixes multiple local and remote denial of service and remote code execute problems : CVE-2011-0188 Properly allocate memory, to prevent arbitrary code execution or application crash. Reported by Drew Yao. CVE-2011-2686 Reinitialize the random seed when forking to prevent CVE-2003-0900 like situations. CVE-2011-2705 Modify PRNG state to prevent random number sequence repeatation at forked child process which has same pid. Reported by Eric Wong. CVE-2011-4815 Fix a problem with predictable hash collisions resulting in denial of service (CPU consumption) attacks. Reported by Alexander Klink and Julian Waelde. CVE-2014-8080 Fix REXML parser to prevent memory consumption denial of service via crafted XML documents. Reported by Willis Vandevanter. CVE-2014-8090 Add REXML::Document#document to complement the fix for CVE-2014-8080. Reported by Tomas Hoger. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2015-03-26
    plugin id82233
    published2015-03-26
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82233
    titleDebian DLA-88-1 : ruby1.8 security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20141126_RUBY_ON_SL6_X.NASL
    descriptionMultiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. (CVE-2014-8080, CVE-2014-8090) All running instances of Ruby need to be restarted for this update to take effect.
    last seen2020-03-18
    modified2014-12-02
    plugin id79657
    published2014-12-02
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79657
    titleScientific Linux Security Update : ruby on SL6.x i386/x86_64 (20141126)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20141126_RUBY_ON_SL7_X.NASL
    descriptionMultiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. (CVE-2014-8080, CVE-2014-8090) A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash. (CVE-2014-4975) All running instances of Ruby need to be restarted for this update to take effect.
    last seen2020-03-18
    modified2014-12-02
    plugin id79658
    published2014-12-02
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79658
    titleScientific Linux Security Update : ruby on SL7.x x86_64 (20141126)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_RUBY-141230.NASL
    descriptionThe Ruby script interpreter has been updated to fix two denial of service attacks when expanding XML. (CVE-2014-8080 / CVE-2014-8090)
    last seen2020-06-05
    modified2015-01-27
    plugin id81040
    published2015-01-27
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81040
    titleSuSE 11.3 Security Update : Ruby (SAT Patch Number 10126)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-200.NASL
    descriptionCVE-2014-4975 The encodes() function in pack.c had an off-by-one error that could lead to a stack-based buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution. CVE-2014-8080, CVE-2014-8090 The REXML parser could be coerced into allocating large string objects that could consume all available memory on the system. This could allow remote attackers to cause a denial of service (crash). NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2015-04-16
    plugin id82805
    published2015-04-16
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82805
    titleDebian DLA-200-1 : ruby1.9.1 security update
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2014-448.NASL
    descriptionThe upstream patch for CVE-2014-8080 introduced checks against the REXML.entity_expansion_text_limit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entity_expansion_limit. As a consequence, even with the patch applied, a small XML document could cause REXML to use an excessive amount of CPU time. High memory usage can be achieved using larger inputs.
    last seen2020-06-01
    modified2020-06-02
    plugin id79297
    published2014-11-18
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79297
    titleAmazon Linux AMI : ruby20 (ALAS-2014-448)

Redhat

advisories
  • rhsa
    idRHSA-2014:1911
  • rhsa
    idRHSA-2014:1912
  • rhsa
    idRHSA-2014:1913
  • rhsa
    idRHSA-2014:1914
rpms
  • ruby-0:1.8.7.374-3.el6_6
  • ruby-debuginfo-0:1.8.7.374-3.el6_6
  • ruby-devel-0:1.8.7.374-3.el6_6
  • ruby-docs-0:1.8.7.374-3.el6_6
  • ruby-irb-0:1.8.7.374-3.el6_6
  • ruby-libs-0:1.8.7.374-3.el6_6
  • ruby-rdoc-0:1.8.7.374-3.el6_6
  • ruby-ri-0:1.8.7.374-3.el6_6
  • ruby-static-0:1.8.7.374-3.el6_6
  • ruby-tcltk-0:1.8.7.374-3.el6_6
  • ruby-0:2.0.0.353-22.el7_0
  • ruby-debuginfo-0:2.0.0.353-22.el7_0
  • ruby-devel-0:2.0.0.353-22.el7_0
  • ruby-doc-0:2.0.0.353-22.el7_0
  • ruby-irb-0:2.0.0.353-22.el7_0
  • ruby-libs-0:2.0.0.353-22.el7_0
  • ruby-tcltk-0:2.0.0.353-22.el7_0
  • rubygem-bigdecimal-0:1.2.0-22.el7_0
  • rubygem-io-console-0:0.4.2-22.el7_0
  • rubygem-json-0:1.7.7-22.el7_0
  • rubygem-minitest-0:4.3.2-22.el7_0
  • rubygem-psych-0:2.0.0-22.el7_0
  • rubygem-rake-0:0.9.6-22.el7_0
  • rubygem-rdoc-0:4.0.0-22.el7_0
  • rubygems-0:2.0.14-22.el7_0
  • rubygems-devel-0:2.0.14-22.el7_0
  • ruby193-ruby-0:1.9.3.484-50.el6
  • ruby193-ruby-0:1.9.3.484-50.el7
  • ruby193-ruby-debuginfo-0:1.9.3.484-50.el6
  • ruby193-ruby-debuginfo-0:1.9.3.484-50.el7
  • ruby193-ruby-devel-0:1.9.3.484-50.el6
  • ruby193-ruby-devel-0:1.9.3.484-50.el7
  • ruby193-ruby-doc-0:1.9.3.484-50.el6
  • ruby193-ruby-doc-0:1.9.3.484-50.el7
  • ruby193-ruby-irb-0:1.9.3.484-50.el6
  • ruby193-ruby-irb-0:1.9.3.484-50.el7
  • ruby193-ruby-libs-0:1.9.3.484-50.el6
  • ruby193-ruby-libs-0:1.9.3.484-50.el7
  • ruby193-ruby-tcltk-0:1.9.3.484-50.el6
  • ruby193-ruby-tcltk-0:1.9.3.484-50.el7
  • ruby193-rubygem-bigdecimal-0:1.1.0-50.el6
  • ruby193-rubygem-bigdecimal-0:1.1.0-50.el7
  • ruby193-rubygem-io-console-0:0.3-50.el6
  • ruby193-rubygem-io-console-0:0.3-50.el7
  • ruby193-rubygem-json-0:1.5.5-50.el6
  • ruby193-rubygem-json-0:1.5.5-50.el7
  • ruby193-rubygem-minitest-0:2.5.1-50.el6
  • ruby193-rubygem-minitest-0:2.5.1-50.el7
  • ruby193-rubygem-rake-0:0.9.2.2-50.el6
  • ruby193-rubygem-rake-0:0.9.2.2-50.el7
  • ruby193-rubygem-rdoc-0:3.9.5-50.el6
  • ruby193-rubygem-rdoc-0:3.9.5-50.el7
  • ruby193-rubygems-0:1.8.23-50.el6
  • ruby193-rubygems-0:1.8.23-50.el7
  • ruby193-rubygems-devel-0:1.8.23-50.el6
  • ruby193-rubygems-devel-0:1.8.23-50.el7
  • ruby200-ruby-0:2.0.0.353-24.el6
  • ruby200-ruby-0:2.0.0.353-24.el7
  • ruby200-ruby-debuginfo-0:2.0.0.353-24.el6
  • ruby200-ruby-debuginfo-0:2.0.0.353-24.el7
  • ruby200-ruby-devel-0:2.0.0.353-24.el6
  • ruby200-ruby-devel-0:2.0.0.353-24.el7
  • ruby200-ruby-doc-0:2.0.0.353-24.el6
  • ruby200-ruby-doc-0:2.0.0.353-24.el7
  • ruby200-ruby-irb-0:2.0.0.353-24.el6
  • ruby200-ruby-irb-0:2.0.0.353-24.el7
  • ruby200-ruby-libs-0:2.0.0.353-24.el6
  • ruby200-ruby-libs-0:2.0.0.353-24.el7
  • ruby200-ruby-tcltk-0:2.0.0.353-24.el6
  • ruby200-ruby-tcltk-0:2.0.0.353-24.el7
  • ruby200-rubygem-bigdecimal-0:1.2.0-24.el6
  • ruby200-rubygem-bigdecimal-0:1.2.0-24.el7
  • ruby200-rubygem-io-console-0:0.4.2-24.el6
  • ruby200-rubygem-io-console-0:0.4.2-24.el7
  • ruby200-rubygem-json-0:1.7.7-24.el6
  • ruby200-rubygem-json-0:1.7.7-24.el7
  • ruby200-rubygem-minitest-0:4.3.2-24.el6
  • ruby200-rubygem-minitest-0:4.3.2-24.el7
  • ruby200-rubygem-psych-0:2.0.0-24.el6
  • ruby200-rubygem-psych-0:2.0.0-24.el7
  • ruby200-rubygem-rake-0:0.9.6-24.el6
  • ruby200-rubygem-rake-0:0.9.6-24.el7
  • ruby200-rubygem-rdoc-0:4.0.0-24.el6
  • ruby200-rubygem-rdoc-0:4.0.0-24.el7
  • ruby200-rubygems-0:2.0.14-24.el6
  • ruby200-rubygems-0:2.0.14-24.el7
  • ruby200-rubygems-devel-0:2.0.14-24.el6
  • ruby200-rubygems-devel-0:2.0.14-24.el7