Summary: | <dev-lang/ruby-1.9.3_p392: DoS vulnerabilities (CVE-2013-{0269,1821}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 437264, 442580 |
Description
Hans de Graaff
2013-02-22 18:57:06 UTC
Now in the tree: =dev-lang/ruby-1.9.3_p392 (In reply to comment #1) > Now in the tree: > > =dev-lang/ruby-1.9.3_p392 Thanks, Hans. Arches, please test and mark stable. Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd" ppc stable ppc64 stable amd64 stable x86 stable ia64 stable hppa stable sparc stable s390 stable arm stable alpha stable sh stable GLSA vote: yes. CVE-2013-0269 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0269): The JSON gem 1.7.x before 1.7.7, 1.6.x before 1.6.8, and 1.5.x before 1.5.5 allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability." CVE-2013-1821 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1821): lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. GLSA Vote: Yes Added to an existing GLSA request. This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle). |