138323 – dev-ruby/rails <1.1.3 - excess CPU usage in Rails processes when triggered by certain URLs

Bug 138323 - dev-ruby/rails <1.1.3 - excess CPU usage in Rails processes when triggered by certain URLs

Summary: dev-ruby/rails <1.1.3 - excess CPU usage in Rails processes when triggered by...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://weblog.rubyonrails.org/2006/6/...
Whiteboard:	B4? [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2006-06-28 02:56 UTC by Luigi Belli
Modified:	2006-08-02 00:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luigi Belli 2006-06-28 02:56:04 UTC

http://weblog.rubyonrails.org/2006/6/27/rails-1-1-3-security-fix-and-minor-fixes
Security and performance fixes

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2006-06-28 03:03:01 UTC

Security, interested in this?

Comment 2 Wolf Giesen (RETIRED) gentoo-dev

2006-06-28 13:55:23 UTC

For my part, I am, but the description is so vague we need to dig up something more or audit it (the latter not really being an option given the size of the project .-), IMHO.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-06-30 09:14:08 UTC

Pulling in ruby for advise.

Comment 4 Caleb Tennis (RETIRED) gentoo-dev

2006-07-03 04:54:42 UTC

I think we're good asking arches to mark 1.1.4 stable.  It's the official fix, and if people need earlier verisons within their rails code they can easily do that with all of the goodies that are provided within reails.

Comment 5 Wolf Giesen (RETIRED) gentoo-dev

2006-07-03 05:14:27 UTC

I'll second that.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-03 05:42:59 UTC

Arches please test and mark stable.

Comment 7 Lars Weiler (RETIRED) gentoo-dev

2006-07-03 07:39:01 UTC

rails-1.1.4 stable on ppc.

Comment 8 Joshua Jackson (RETIRED) gentoo-dev

2006-07-05 10:47:06 UTC

x86 should be done ^.^ *crosses fingers*

Comment 9 Jason Wever (RETIRED) gentoo-dev

2006-07-05 18:14:24 UTC

Stable on SPARC

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2006-07-29 05:44:36 UTC

amd64, about time to mark stable.

Comment 11 Simon Stelling (RETIRED) gentoo-dev

2006-07-31 01:31:43 UTC

amd64 done. sorry about the huge delay.

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2006-07-31 13:45:32 UTC

"a security issue with routing that could cause excess CPU usage in Rails processes when triggered by certain URLs" :  voting no.

Comment 13 Wolf Giesen (RETIRED) gentoo-dev

2006-07-31 22:12:15 UTC

"While certain URLs cause excess CPU usage, other URLs cause Rails to shut down uncleanly or halt (depending upon deployment environment). You need to upgrade. (It appears that Rails 1.0 is not vulnerable to this DOS, but I haven&#8217;t tested.)"

(from http://blog.segment7.net/articles/2006/06/28/upgrade-to-rails-1-1-3-now)

I'd tend to vote yes. It's a bit weak, but there is corporate ruby stuff out there.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-08-01 00:50:17 UTC

I tend to vote NO.

Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-08-01 10:33:00 UTC

no too

Comment 16 Wolf Giesen (RETIRED) gentoo-dev

2006-08-01 21:00:29 UTC

That should conclude it, then.

Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-08-02 00:58:11 UTC

Closing with NO GLSA.

Feel free to reopen if you disagree.