Summary: | <dev-ruby/rubygems-2.0.10: Algorithmic complexity vulnerability (CVE-2013-{4287,4363}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/09/10/1 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 508996 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-09-10 14:04:36 UTC
rubygems 2.0.8 is now in the tree, but I believe that we should test this version for at least a week before starting stabilization. (In reply to Hans de Graaff from comment #1) > rubygems 2.0.8 is now in the tree, but I believe that we should test this > version for at least a week before starting stabilization. Well, tell me if I can help with build something. http://www.openwall.com/lists/oss-security/2013/09/18/1 : This patch does not fix the issue CVE-2013-4363 has been assigned. Upstream mentions a new release is scheduled for Sep 23rd. We'll wait for that. rubygems 2.0.10 is now in the tree and should fix the remaining issues. A few days of testing and then we should be good to go. CVE-2013-4363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4363): Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287. CVE-2013-4287 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4287): Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. rubygems 2.0.14 is now stable for all arches and older versions affected by this bug have been removed. Vulnerable packages have been removed. GLSA Coordinators: Please cast your votes. GLSA Vote: No GLSA vote: no. |