Specially crafted POST parameters can be used to cause hash table operations with a time complexity of O(n^2), causing a Denial of Service. As per $URL, Rubinius is affected. There is no CVE assigned yet for this flaw in Rubinius.
Patch available at https://github.com/rubinius/rubinius/commit/a9a40fc6a1256bcf6382631b710430105c5dd868 but it looks like it adds a dependency in the process.
*** Bug 445342 has been marked as a duplicate of this bug. ***
(In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2012-5372 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5372): > Rubinius computes hash values without properly restricting the ability to > trigger hash collisions predictably, which allows context-dependent > attackers to cause a denial of service (CPU consumption) via crafted input > to an application that maintains a hash table, as demonstrated by a > universal multicollision attack against the MurmurHash3 algorithm.
Vulnerable ebuilds have been removed. Package was never put into stable. GLSA coordinators: Please resolve this bug.
