Summary: | <dev-lang/ruby-1.9.3_p392: hash-flooding DoS (CVE-2012-5371) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gentoo, ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 458776 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2012-11-10 10:14:17 UTC
CVE-2012-5371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5371): Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815. *** Bug 445200 has been marked as a duplicate of this bug. *** Ruby 1.9.3-p362 has just been released - bug fixes only, no additional security patches. http://www.ruby-lang.org/en/news/2012/12/25/ruby-1-9-3-p362-is-released/ Ruby 1.9.3-p385 has just been released which includes a security fix. http://www.ruby-lang.org/en/news/2013/02/06/ruby-1-9-3-p385-is-released/ (In reply to comment #4) > Ruby 1.9.3-p385 has just been released which includes a security fix. > > http://www.ruby-lang.org/en/news/2013/02/06/ruby-1-9-3-p385-is-released/ This version is now in the tree. GLSA vote: yes. Added to existing request. This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle). |