marking this as private for now. -----Forwarded Message----- From: Martin Schulze <joey@infodrom.org> To: vendor-sec@lst.de Subject: [vendor-sec] CAN-2004-0983: Denial of service in Ruby Date: Wed, 03 Nov 2004 09:20:37 +0100 Moin everybody! I don't know if some of you are also shipping a version of ruby in your distributions. We have received a report that the upstream developers have corrected a problem that could be triggered remotely and cause an infinite loop on the server, since it's the CGI module. The patch is here: http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.23.2.17&r2=1.23.2.18 This problem is semi-public already (upstream cvs, Debian packages), it may not be too useful to try a coordinated release, but if you would like to, I could postpone the advisory a bit.
ruby folks, could you please have a look at this? Adding usata as an explicit CC since I'm not sure he can see the bug, otherwise.
Adding xavier so he can see the bug.
I'll look into this problem (I get bugzilla mail from ruby alias).
But now you can't see this bug or comment here anymore.
Putting individual names rather than aliases.
Debian published http://www.debian.org/security/2004/dsa-586. Ruby please provide a fixed ebuild.
Thanks for readding me to this bug (I was not aware that I was not able to revisit security bug). I added ruby-1.6.8-r12 on 5 Nov, and agriffis added ruby-1.8.2_pre3 yesterday. Both versions contain the fix by ruby upstream. I could make patched revisions of <=ruby-1.8.2_pre2, but I would rather ask arch devs to test 1.6.8-r12 and ruby-1.8.2_pre3 and mark them stable.
Arches please mark ruby-1.6.8-r1 and ruby-1.8.2_pre3 stable.
I cannot mark stable on ppc64: Won't compile: [...] ./mkconfig.rb:142: syntax error [...] Markus
Do you have cjk in USE?
1.8.2_pre3 stable for sparc. I cannot comment on 1.6.8-r1.
1.8.2_pre3 and 1.6.8-r12 stable on amd64
This is keyworded for ppc-macos, but that's not the arch alias. CC'ing kito and ndimiduk
stable on ppc (both) greets
Stable on alpha.
mhh.. mysterious.. I cannot reprocedure that error again. dev-lang/ruby-1.8.2_pre3 is now stable on ppc64.
stable on ppc-macos.
1.6.8-r12 is also stable for sparc. Builds, installs, and runs test cases as expected.
x86 there
security, pls vote on GLSA (since this is rated B3) /me votes for a GLSA at least Debian, Mandrake and Ubuntu have published advisories already
I vote for a GLSA too.
Stable on mips.
I vote YES too
GLSA 200411-23 arm hppa ia64: please mark stable to benefit from GLSA
s390 should also mark 1.8.2_pre3 stable Ruby team : please clean up old vulnerable versions...