Summary: | <dev-lang/ruby-{1.9.3_p550,2.0.0_p594,2.1.4}: Denial Of Service XML Expansion (CVE-2014-8080) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1157709 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-10-27 14:39:56 UTC
Upstream announcement: https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/ Now in the tree: ruby-1.9.3_p550 ruby-2.0.0_p594 ruby-2.1.4 Since ruby-2.0.0_p594 and ruby-2.1.4 both contain bug fixes in addition to security fixes my suggestion would be to wait a few days before marking these as stable so we can shake out any unexpected issues first. No problems have been reported so we are good to go for stabilization: =dev-lang/ruby-1.9.3_p550 =dev-lang/ruby-2.0.0_p594 Stable for HPPA. amd64 stable x86 stable arm stable ppc stable ppc64 stable ia64 stable sparc stable alpha stable. Maintainer(s), please cleanup. Security, please vote. Vulnerable versions have now been removed. CVE-2014-8080 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8080): The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request. This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle). |