** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **
A bug was found in a Ruby's standard library. That bug enables third-party
people to cause ruby processes segfault. CVE-2009-1904 was assigned to this.
A release containing a fix will be public soon.
This bug just got reported on the Rails security list as well, which is out in the open. It also points to this news item:
I've added both new versions to CVS, but I have not tested them very well yet.
Alex: I did confirm that 1.8.7_173 fixes my threading issues.
Public via $URL.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Stable on alpha.
shouldn't there be a glsa associated with this?
(In reply to comment #7)
> shouldn't there be a glsa associated with this?
After all security-supported architectures have stabled the package, yes.
The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before
p173 allows context-dependent attackers to cause a denial of service
(application crash) via a string argument that represents a large
number, as demonstrated by an attempted conversion to the Float data
GLSA draft filed.