From https://bugzilla.redhat.com/show_bug.cgi?id=875236 : Ruby 1.9.3-p327 was released to correct a hash-flooding DoS vulnerability that only affects 1.9.x and the 2.0.0 preview [1]. As noted in the upstream report: Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity. This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other. This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4. Ruby 1.8.x is not noted as being affected by this flaw. [1] http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
CVE-2012-5371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5371): Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.
*** Bug 445200 has been marked as a duplicate of this bug. ***
Ruby 1.9.3-p362 has just been released - bug fixes only, no additional security patches. http://www.ruby-lang.org/en/news/2012/12/25/ruby-1-9-3-p362-is-released/
Ruby 1.9.3-p385 has just been released which includes a security fix. http://www.ruby-lang.org/en/news/2013/02/06/ruby-1-9-3-p385-is-released/
(In reply to comment #4) > Ruby 1.9.3-p385 has just been released which includes a security fix. > > http://www.ruby-lang.org/en/news/2013/02/06/ruby-1-9-3-p385-is-released/ This version is now in the tree.
GLSA vote: yes.
Added to existing request.
This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle).