Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 130657 - dev-lang/ruby http/xmlrpc server DoS (CVE-2006-1931)
Summary: dev-lang/ruby http/xmlrpc server DoS (CVE-2006-1931)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] jaervosz
Depends on:
Reported: 2006-04-20 13:58 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-05-09 22:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-20 13:58:49 UTC
A bug was found in the way ruby creates its http (and thus xmlrpc)
server.  The server uses blocking sockets, so if it is possible to
send a very large amount of data via the socket, the server will block
other connections resulting in a denial of service.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-20 14:00:06 UTC
Ruby please advise and bump as needed.
Comment 2 Caleb Tennis (RETIRED) gentoo-dev 2006-04-20 16:11:47 UTC
Looks to me like this is fixed in 1.8.4 (possibly 1.8.3, though I don't have that on my system to check).

I'd recommend having the remaining arches bump to 1.8.4-r1 (or newer) to stable to fix this issue.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-20 21:28:13 UTC
Thx Caleb,

amd64 seems to be the only arch needing to test 1.8.4
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2006-04-28 11:18:27 UTC
amd64 is late
Comment 5 Simon Stelling (RETIRED) gentoo-dev 2006-04-29 02:36:46 UTC
amd64 stable. it seems you have missed hppa, they have 1.0.3 stable but not 1.0.4-r1
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2006-05-01 11:08:30 UTC
stable on hppa as well.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2006-05-02 09:29:45 UTC
I tend to vote yes, but very light one.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-02 09:44:46 UTC
Half YES from me.
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-05 13:39:49 UTC
don't know
Comment 10 Adir Abraham 2006-05-06 02:07:42 UTC
I tend to vote YES as well.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2006-05-07 11:00:14 UTC
So let's have one.
Comment 12 Wolf Giesen (RETIRED) gentoo-dev 2006-05-07 22:51:03 UTC
I tend to see a yes, too, but actually I'm a little afraid we're opening pandoras box if we're going to include everything like this.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-09 22:31:56 UTC
GLSA 200605-11