SUSE-SU-2015:0795-1: moderate: Security update for rubygem-bundler

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Apr 28 12:04:48 MDT 2015 

   SUSE Security Update: Security update for rubygem-bundler
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0795-1
Rating:             moderate
References:         #898205 
Cross-References:   CVE-2013-0334
Affected Products:
                    WebYaST 1.3
                    SUSE Studio Onsite 1.3
                    SUSE Linux Enterprise Software Development Kit 11 SP3
                    SUSE Linux Enterprise High Availability Extension 11 SP3
                    SUSE Lifecycle Management Server 1.3
                    SUSE Cloud 4
______________________________________________________________________________

   An update that fixes one vulnerability is now available. It
   includes one version update.

Description:


   The rubygem bundler has been updated to 1.7.0 to fix an issue where it
   downloaded ruby gems from a different servers than the intended one.
   (CVE-2013-0334)

   Bundler 1.7 is a security-only release to address CVE-2013-0334, a
   vulnerability where a gem might have been installed from an unintended
   source server, particularly while using both rubygems.org and
   gems.github.com.


   Upstream changes entry with more explanations:

   Any Gemfile with multiple top-level source lines cannot reliably control
   the gem server that a particular gem is fetched from. As a result, Bundler
   might install the wrong gem if more than one source provides a gem with
   the same name.

   This is especially possible in the case of Github's legacy gem server,
   hosted at gems.github.com. An attacker might create a malicious gem on
   Rubygems.org with the same name as a commonly-used Github gem. From that
   point forward, running bundle install might result in the malicious gem
   being used instead of the expected gem.

   To mitigate this, the Bundler and Rubygems.org teams worked together to
   copy almost every gem hosted on gems.github.com to rubygems.org, reducing
   the number of gems that can be used for such an attack.


   Resolution

   To resolve this issue, upgrade to Bundler 1.7 by running gem install
   bundler. The next time you run bundle install for any Gemfile that
   contains multiple sources, each gem available from multiple sources will
   print a warning.

   For every warning printed, edit the Gemfile to either specify a :source
   option for that gem, or move the gem line into a block that is passed to a
    source method call.

   For detailed information about the changes to how sources are handled in
   Bundler version 1.7, see the release announcement.

   Security Issues:

       * CVE-2013-0334
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0334>


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - WebYaST 1.3:

      zypper in -t patch slewyst13-rubygem-bundler=10449

   - SUSE Studio Onsite 1.3:

      zypper in -t patch slestso13-rubygem-bundler19=10451 slestso13-rubygem-bundler=10449

   - SUSE Linux Enterprise Software Development Kit 11 SP3:

      zypper in -t patch sdksp3-rubygem-bundler=10450

   - SUSE Linux Enterprise High Availability Extension 11 SP3:

      zypper in -t patch slehasp3-rubygem-bundler=10450

   - SUSE Lifecycle Management Server 1.3:

      zypper in -t patch sleslms13-rubygem-bundler=10449

   - SUSE Cloud 4:

      zypper in -t patch sleclo40sp3-rubygem-bundler=10448

   To bring your system up-to-date, use "zypper patch".


Package List:

   - WebYaST 1.3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.7.0]:

      rubygem-bundler-1.7.0-0.7.1

   - SUSE Studio Onsite 1.3 (x86_64) [New Version: 1.7.0]:

      rubygem-bundler-1.7.0-0.7.1
      rubygem-bundler19-1.7.0-0.12.1

   - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.7.0]:

      rubygem-bundler-1.7.0-0.7.1

   - SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.7.0]:

      rubygem-bundler-1.7.0-0.7.1

   - SUSE Lifecycle Management Server 1.3 (x86_64) [New Version: 1.7.0]:

      rubygem-bundler-1.7.0-0.7.1

   - SUSE Cloud 4 (x86_64) [New Version: 1.7.0]:

      rubygem-bundler-1.7.0-0.7.1


References:

   https://www.suse.com/security/cve/CVE-2013-0334.html
   https://bugzilla.suse.com/898205
   https://download.suse.com/patch/finder/?keywords=12083e22b331c4ebbb397c33df209d72
   https://download.suse.com/patch/finder/?keywords=3bf8889ebbe831feae77fdcdac5e040d
   https://download.suse.com/patch/finder/?keywords=6f965f320be4e2e34128abad27d1693f
   https://download.suse.com/patch/finder/?keywords=ebabd5437da1b30f06ea1b1d962e5995

More information about the sle-security-updates mailing list