From https://bugzilla.redhat.com/show_bug.cgi?id=875236 :
Ruby 1.9.3-p327 was released to correct a hash-flooding DoS vulnerability that only affects 1.9.x
and the 2.0.0 preview .
As noted in the upstream report:
Carefully crafted sequence of strings can cause a denial of service attack on the service that
parses the sequence to create a Hash object by using the strings as keys. For instance, this
vulnerability affects web application that parses the JSON data sent from untrusted entity.
This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using
modified MurmurHash function but it's reported that there is a way to create sequence of strings
that collide their hash values each other. This fix changes the Hash function of String object from
the MurmurHash to SipHash 2-4.
Ruby 1.8.x is not noted as being affected by this flaw.
Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash
values without properly restricting the ability to trigger hash collisions
predictably, which allows context-dependent attackers to cause a denial of
service (CPU consumption) via crafted input to an application that maintains
a hash table, as demonstrated by a universal multicollision attack against a
variant of the MurmurHash2 algorithm, a different vulnerability than
*** Bug 445200 has been marked as a duplicate of this bug. ***
Ruby 1.9.3-p362 has just been released - bug fixes only, no additional security patches.
Ruby 1.9.3-p385 has just been released which includes a security fix.
(In reply to comment #4)
> Ruby 1.9.3-p385 has just been released which includes a security fix.
This version is now in the tree.
GLSA vote: yes.
Added to existing request.
This issue was resolved and addressed in
GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml
by GLSA coordinator Sean Amoss (ackle).