Summary: | <dev-ruby/rack-1.1.3 Hash collision DoS (CVE-2011-5036) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/47414/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 396397 |
Description
Agostino Sarubbo
2011-12-29 21:05:20 UTC
Already masked the slot that did not receive fixes. I have bumps ready for all other slots, but they are pending test failures already reported upstream. I have just added version bumps for all remaining slots. Only one version needs to be stabled (not the latest in that slot to avoid file collisions with later slots). =dev-ruby/rack-1.1.3 Arches, please test and mark stable: =dev-ruby/rack-1.1.3 Target keywords : "amd64 ia64 ppc ppc64 sparc x86" amd64 stable CVE-2011-5036 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5036): Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. ppc/ppc64 done x86 stable ia64/sparc stable @security, please vote. Thanks, folks. GLSA Vote: yes. Vote: yes. GLSA request filed. This issue was resolved and addressed in GLSA 201203-05 at http://security.gentoo.org/glsa/glsa-201203-05.xml by GLSA coordinator Sean Amoss (ackle). |