Summary: | <dev-java/jruby-1.6.5.1 Hash collision DoS (CVE-2011-4838) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | java, phajdan.jr, ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://jruby.org/2011/12/27/jruby-1-6-5-1.html | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 412379 | ||
Bug Blocks: | 396397, 412901 |
Description
Alex Legler (RETIRED)
2011-12-28 14:29:22 UTC
CVE-2011-4838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4838): JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. Update: with joint effort from the ruby and java team we now have a jruby 1.6.5.1 ebuild in the ruby overlay which appears to be working but needs further testing. We also need some updated java dependencies in CVS before we can move this ebuild there. jruby 1.6.5.1 is now in the main tree. Arches, please test and mark stable: =dev-java/jruby-1.6.5.1 Target keywords : "amd64 x86" I get a bunch of unstable java packages as blocking dependencies on x86. Any info on how to proceed? =dev-java/bytelist-1.0.9 ~x86 =dev-java/jnr-x86asm-1.0.1 ~x86 =dev-java/jcodings-1.0.5 ~x86 =dev-java/jnr-posix-1.1.8 ~x86 =dev-java/jnr-constants-0.8.2 ~x86 =dev-java/osgi-core-api-4.3 ~x86 =dev-java/jnr-ffi-0.5.10 ~x86 =dev-java/jffi-1.0.11 ~x86 =dev-java/snakeyaml-1.9 ~x86 (In reply to comment #5) > I get a bunch of unstable java packages as blocking dependencies on x86. Any > info on how to proceed? > > =dev-java/bytelist-1.0.9 ~x86 > =dev-java/jnr-x86asm-1.0.1 ~x86 > =dev-java/jcodings-1.0.5 ~x86 > =dev-java/jnr-posix-1.1.8 ~x86 > =dev-java/jnr-constants-0.8.2 ~x86 > =dev-java/osgi-core-api-4.3 ~x86 > =dev-java/jnr-ffi-0.5.10 ~x86 > =dev-java/jffi-1.0.11 ~x86 > =dev-java/snakeyaml-1.9 ~x86 These should also be stabilized, unless the java folks have more specific requirements for versions. @java, if so, then please add a comment. amd64 stable *** Bug 414715 has been marked as a duplicate of this bug. *** x86 stable, closing (In reply to comment #9) > x86 stable, closing Re-opening, that was automated tool, sorry. Thanks, everyone. GLSA Vote: Yes. GLSA vote: yes. Filing GLSA request. This issue was resolved and addressed in GLSA 201207-06 at http://security.gentoo.org/glsa/glsa-201207-06.xml by GLSA coordinator Sean Amoss (ackle). |