1
PublicDateAtUSN: 2010-01-13
2
Candidate: CVE-2009-4492
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4492
6
https://usn.ubuntu.com/usn/usn-900-1
8
WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through
9
patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes
10
data to a log file without sanitizing non-printable characters, which might
11
allow remote attackers to modify a window's title, or possibly execute
12
arbitrary commands or overwrite files, via an HTTP request containing an
13
escape sequence for a terminal emulator.
16
jdstrand> if there is a problem, it is the terminal that has the issue
18
https://bugs.edge.launchpad.net/ubuntu/+source/ruby1.9.1/+bug/509392
19
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564647 (1.9)
20
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564598 (1.8)
21
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564646 (1.9.1)
23
Discovered-by: Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro
27
upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26267
28
upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26281
29
upstream_ruby1.8: released (1.8.7.249-1)
30
dapper_ruby1.8: ignored (reached end-of-life)
31
hardy_ruby1.8: ignored (reached end-of-life)
32
intrepid_ruby1.8: needed (reached end-of-life)
33
jaunty_ruby1.8: ignored (reached end-of-life)
34
karmic_ruby1.8: ignored (reached end-of-life)
35
lucid_ruby1.8: not-affected (1.8.7.249-2)
36
maverick_ruby1.8: not-affected
37
natty_ruby1.8: not-affected
38
oneiric_ruby1.8: not-affected
39
devel_ruby1.8: not-affected
42
upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26267
43
upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26281
44
upstream_ruby1.9: needs-triage
45
dapper_ruby1.9: ignored (reached end-of-life)
46
hardy_ruby1.9: ignored (reached end-of-life)
47
intrepid_ruby1.9: released (1.9.0.2-7ubuntu1.3)
48
jaunty_ruby1.9: released (1.9.0.2-9ubuntu1.2)
49
karmic_ruby1.9: released (1.9.0.5-1ubuntu1.2)
50
lucid_ruby1.9: released (1.9.0.5-1ubuntu2)
51
maverick_ruby1.9: DNE (pulled 2010-07-27)
52
natty_ruby1.9: DNE (pulled 2010-07-27)
53
oneiric_ruby1.9: DNE (pulled 2010-07-27)
54
devel_ruby1.9: DNE (pulled 2010-07-27)
57
upstream_ruby1.9.1: released (1.9.1.378-1)
60
intrepid_ruby1.9.1: DNE
62
karmic_ruby1.9.1: ignored (reached end-of-life)
63
lucid_ruby1.9.1: not-affected (1.9.1.378-1)
64
maverick_ruby1.9.1: not-affected
65
natty_ruby1.9.1: not-affected
66
oneiric_ruby1.9.1: not-affected
67
devel_ruby1.9.1: not-affected