From secunia security advisory at $URL: Description: The vulnerability is caused due to an error within a hash generation function when hashing form posts and updating a hash table. This can be exploited to cause a hash collision resulting in high CPU consumption via a specially crafted form sent in a HTTP POST request. The vulnerability is reported in version 1.2.0 and prior. Solution: Fixed in the GIT repository.
Already masked the slot that did not receive fixes. I have bumps ready for all other slots, but they are pending test failures already reported upstream.
I have just added version bumps for all remaining slots. Only one version needs to be stabled (not the latest in that slot to avoid file collisions with later slots). =dev-ruby/rack-1.1.3
Arches, please test and mark stable: =dev-ruby/rack-1.1.3 Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
amd64 stable
CVE-2011-5036 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5036): Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
ppc/ppc64 done
x86 stable
ia64/sparc stable
@security, please vote.
Thanks, folks. GLSA Vote: yes.
Vote: yes. GLSA request filed.
This issue was resolved and addressed in GLSA 201203-05 at http://security.gentoo.org/glsa/glsa-201203-05.xml by GLSA coordinator Sean Amoss (ackle).