[SECURITY] [DLA 275-1] ruby1.9.1 security update

2015-07-2000:52:47

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.006

Percentile

77.9%

JSON

Package : ruby1.9.1
Version : 1.9.2.0-2+deb6u6
CVE ID : CVE-2014-6438

It was discovered that the uri package in the Ruby standard library
uses regular expressions that may result in excessive backtracking.
Ruby applications that parse untrusted URIs using this library were
susceptible to denial-of-service attacks by passing crafted URIs.

For the oldoldstable distribution (squeeze), this problem has been
fixed in version 1.9.2.0-2+deb6u6.

The oldstable distribution (wheezy) and stable distribution (jessie)
were not affected by this problem as it was fixed before release.

–
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams

Attachment:
signature.asc
Description: This is a digitally signed message part

OSVersionArchitecturePackageVersionFilename
Debian6amd64ruby1.9.1-dev< 1.9.2.0-2+deb6u6ruby1.9.1-dev_1.9.2.0-2+deb6u6_amd64.deb
Debian6allruby1.9.1-full< 1.9.2.0-2+deb6u6ruby1.9.1-full_1.9.2.0-2+deb6u6_all.deb
Debian6i386ruby1.9.1-dev< 1.9.2.0-2+deb6u6ruby1.9.1-dev_1.9.2.0-2+deb6u6_i386.deb
Debian6allruby1.9.1< 1.9.2.0-2+deb6u6ruby1.9.1_1.9.2.0-2+deb6u6_all.deb
Debian6allri1.9.1< 1.9.2.0-2+deb6u6ri1.9.1_1.9.2.0-2+deb6u6_all.deb
Debian6i386libruby1.9.1-dbg< 1.9.2.0-2+deb6u6libruby1.9.1-dbg_1.9.2.0-2+deb6u6_i386.deb
Debian6amd64ruby1.9.1< 1.9.2.0-2+deb6u6ruby1.9.1_1.9.2.0-2+deb6u6_amd64.deb
Debian6allruby1.9.1-examples< 1.9.2.0-2+deb6u6ruby1.9.1-examples_1.9.2.0-2+deb6u6_all.deb
Debian6amd64libtcltk-ruby1.9.1< 1.9.2.0-2+deb6u6libtcltk-ruby1.9.1_1.9.2.0-2+deb6u6_amd64.deb
Debian6allruby1.9.1-elisp< 1.9.2.0-2+deb6u6ruby1.9.1-elisp_1.9.2.0-2+deb6u6_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	amd64	ruby1.9.1-dev	< 1.9.2.0-2+deb6u6	ruby1.9.1-dev_1.9.2.0-2+deb6u6_amd64.deb
Debian	6	all	ruby1.9.1-full	< 1.9.2.0-2+deb6u6	ruby1.9.1-full_1.9.2.0-2+deb6u6_all.deb
Debian	6	i386	ruby1.9.1-dev	< 1.9.2.0-2+deb6u6	ruby1.9.1-dev_1.9.2.0-2+deb6u6_i386.deb
Debian	6	all	ruby1.9.1	< 1.9.2.0-2+deb6u6	ruby1.9.1_1.9.2.0-2+deb6u6_all.deb
Debian	6	all	ri1.9.1	< 1.9.2.0-2+deb6u6	ri1.9.1_1.9.2.0-2+deb6u6_all.deb
Debian	6	i386	libruby1.9.1-dbg	< 1.9.2.0-2+deb6u6	libruby1.9.1-dbg_1.9.2.0-2+deb6u6_i386.deb
Debian	6	amd64	ruby1.9.1	< 1.9.2.0-2+deb6u6	ruby1.9.1_1.9.2.0-2+deb6u6_amd64.deb
Debian	6	all	ruby1.9.1-examples	< 1.9.2.0-2+deb6u6	ruby1.9.1-examples_1.9.2.0-2+deb6u6_all.deb
Debian	6	amd64	libtcltk-ruby1.9.1	< 1.9.2.0-2+deb6u6	libtcltk-ruby1.9.1_1.9.2.0-2+deb6u6_amd64.deb
Debian	6	all	ruby1.9.1-elisp	< 1.9.2.0-2+deb6u6	ruby1.9.1-elisp_1.9.2.0-2+deb6u6_all.deb