Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 157048
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Diego E. 'Flameeyes' Pettenò <flameeyes@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 157048 depends on: Show dependency tree
Bug 157048 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-12-04 00:33 0000 
Quoting from the site

--
Another vulnerability has been discovered in the CGI library (cgi.rb) that
ships with Ruby which could be used by a malicious user to create a denial of
service attack (DoS).

This vulnerability is open to the public as JVN#84798830.

Please note that the previous patch
(<URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch>) does
not fix this problem.

Impact

A specific HTTP request for any web application using cgi.rb causes CPU
consumption on the machine on which the web application is running. Many such
requests result in a denial of service.

Vulnerable versions

1.8 series
 1.8.5 and all prior versions 
Development version (1.9 series)
 All versions before 2006-12-04 

Solution

1.8 series
Please upgrade to 1.8.5-p2.
<URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz> (4519151
bytes, md5sum: a3517a224716f79b14196adda3e88057)
Please note that a package that corrects this weakness may already be available
through your package management software.
--

I'll see to prepare an ebuild for 1.8.5-p2.

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-12-04 01:09:42 0000 ------- 
thx Flameeyes

------- Comment #2 From Diego E. 'Flameeyes' Pettenò 2006-12-04 01:38:06 0000 ------- 
1.8.5_p2 in tree.

------- Comment #3 From Stefan Cornelius (RETIRED) 2006-12-04 01:51:24 0000 ------- 
arches, please test and stable 1.8.5_p2, thx

------- Comment #4 From Jakub Moc (RETIRED) 2006-12-04 03:05:27 0000 ------- 
*** Bug 157038 has been marked as a duplicate of this bug. ***

------- Comment #5 From Luis Medinas (RETIRED) 2006-12-04 04:26:43 0000 ------- 
apart from make test failures (normal issue and an old bug) amd64 got stable
love.

------- Comment #6 From Gustavo Zacarias (RETIRED) 2006-12-04 06:14:23 0000 ------- 
sparc stable.

------- Comment #7 From Brent Baude 2006-12-04 07:24:51 0000 ------- 
ppc64 stable

------- Comment #8 From Alexander Færøy 2006-12-04 09:44:04 0000 ------- 
Stable on Alpha.

------- Comment #9 From Tobias Scherbaum 2006-12-04 10:16:54 0000 ------- 
ppc stable

------- Comment #10 From Markus Rothe 2006-12-04 10:29:40 0000 ------- 
ranger marked stable on ppc64

------- Comment #11 From Jeroen Roovers 2006-12-04 14:35:38 0000 ------- 
Stable for HPPA.

------- Comment #12 From Christian Faulhammer 2006-12-05 00:07:29 0000 ------- 
x86 done

------- Comment #13 From Raphael Marichez 2006-12-15 07:50:54 0000 ------- 
"A specific HTTP request for any web application using cgi.rb causes CPU
consumption "  --> i vote GLSA

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-12-15 08:11:40 0000 ------- 
I vote YES as well.

------- Comment #15 From Wolf Giesen (RETIRED) 2006-12-15 10:21:42 0000 ------- 
Nobody will care for my addon YES, then ^_^

------- Comment #16 From Raphael Marichez 2006-12-21 05:47:12 0000 ------- 
GLSA 200612-21 , thanks everybody!

------- Comment #17 From Raúl Porcel 2007-03-31 18:23:18 0000 ------- 
ia64 stable
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug