marking this as private for now.
From: Martin Schulze <email@example.com>
Subject: [vendor-sec] CAN-2004-0983: Denial of service in Ruby
Date: Wed, 03 Nov 2004 09:20:37 +0100
I don't know if some of you are also shipping a version of ruby
in your distributions. We have received a report that the upstream
developers have corrected a problem that could be triggered remotely
and cause an infinite loop on the server, since it's the CGI module.
The patch is here:
This problem is semi-public already (upstream cvs, Debian packages),
it may not be too useful to try a coordinated release, but if you
would like to, I could postpone the advisory a bit.
ruby folks, could you please have a look at this? Adding usata as an explicit CC since I'm not sure he can see the bug, otherwise.
Adding xavier so he can see the bug.
I'll look into this problem (I get bugzilla mail from ruby alias).
But now you can't see this bug or comment here anymore.
Putting individual names rather than aliases.
Debian published http://www.debian.org/security/2004/dsa-586.
Ruby please provide a fixed ebuild.
Thanks for readding me to this bug (I was not aware
that I was not able to revisit security bug).
I added ruby-1.6.8-r12 on 5 Nov, and agriffis added
ruby-1.8.2_pre3 yesterday. Both versions contain the
fix by ruby upstream. I could make patched revisions
of <=ruby-1.8.2_pre2, but I would rather ask arch
devs to test 1.6.8-r12 and ruby-1.8.2_pre3 and mark
Arches please mark ruby-1.6.8-r1 and ruby-1.8.2_pre3 stable.
I cannot mark stable on ppc64: Won't compile: [...] ./mkconfig.rb:142: syntax error [...] Markus
Do you have cjk in USE?
1.8.2_pre3 stable for sparc. I cannot comment on 1.6.8-r1.
1.8.2_pre3 and 1.6.8-r12 stable on amd64
This is keyworded for ppc-macos, but that's not the arch alias. CC'ing kito and ndimiduk
stable on ppc (both)
Stable on alpha.
mhh.. mysterious.. I cannot reprocedure that error again. dev-lang/ruby-1.8.2_pre3 is now stable on ppc64.
stable on ppc-macos.
1.6.8-r12 is also stable for sparc. Builds, installs, and runs test cases as expected.
security, pls vote on GLSA (since this is rated B3)
/me votes for a GLSA
at least Debian, Mandrake and Ubuntu have published advisories already
I vote for a GLSA too.
Stable on mips.
I vote YES too
arm hppa ia64: please mark stable to benefit from GLSA
s390 should also mark 1.8.2_pre3 stable
Ruby team : please clean up old vulnerable versions...