Security update for rubygem-bson-1_11, rubygem-easy_diff, rubygem-redcarpet, and rubygem-sprockets-2_11 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:2019-1 Final 1 1 2016-08-09T18:27:03Z current 2016-08-09T18:27:03Z 2016-08-09T18:27:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-bson-1_11, rubygem-easy_diff, rubygem-redcarpet, and rubygem-sprockets-2_11 This update for rubygem-bson-1_11, rubygem-easy_diff, rubygem-redcarpet, and rubygem-sprockets-2_11 fixes the following issues: - Avoid monodb data injection (bnc#933961, CVE-2015-4410) - Fixes merging of Arrays of Hashes (bsc#982364) - Fix XSS via autolinking of untrusted markdown (bsc#926328) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleclo50sp3-rubygem-bson-12686 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20162019-1/ Link for SUSE-SU-2016:2019-1 https://lists.suse.com/pipermail/sle-security-updates/2016-August/002202.html E-Mail link for SUSE-SU-2016:2019-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/926328 SUSE Bug 926328 https://bugzilla.suse.com/933961 SUSE Bug 933961 https://bugzilla.suse.com/982364 SUSE Bug 982364 https://www.suse.com/security/cve/CVE-2015-4410/ SUSE CVE CVE-2015-4410 page SUSE OpenStack Cloud 5 ruby2.1-rubygem-bson-1_11-1.11.1-9.1 ruby2.1-rubygem-easy_diff-0.0.5-9.1 ruby2.1-rubygem-redcarpet-3.2.3-9.1 ruby2.1-rubygem-sprockets-2_11-2.11.3-11.1 ruby2.1-rubygem-bson-1_11-1.11.1-9.1 as a component of SUSE OpenStack Cloud 5 ruby2.1-rubygem-easy_diff-0.0.5-9.1 as a component of SUSE OpenStack Cloud 5 ruby2.1-rubygem-redcarpet-3.2.3-9.1 as a component of SUSE OpenStack Cloud 5 ruby2.1-rubygem-sprockets-2_11-2.11.3-11.1 as a component of SUSE OpenStack Cloud 5 The Moped::BSON::ObjecId.legal? method in rubygem-moped before commit dd5a7c14b5d2e466f7875d079af71ad19774609b allows remote attackers to cause a denial of service (worker resource consumption) or perform a cross-site scripting (XSS) attack via a crafted string. CVE-2015-4410 SUSE OpenStack Cloud 5:ruby2.1-rubygem-bson-1_11-1.11.1-9.1 SUSE OpenStack Cloud 5:ruby2.1-rubygem-easy_diff-0.0.5-9.1 SUSE OpenStack Cloud 5:ruby2.1-rubygem-redcarpet-3.2.3-9.1 SUSE OpenStack Cloud 5:ruby2.1-rubygem-sprockets-2_11-2.11.3-11.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162019-1/ https://www.suse.com/security/cve/CVE-2015-4410.html CVE-2015-4410 https://bugzilla.suse.com/933961 SUSE Bug 933961