Lucene search

K
osvGoogleOSV:DSA-1652-1
HistoryOct 12, 2008 - 12:00 a.m.

ruby1.9 - several vulnerabilities

2008-10-1200:00:00
Google
osv.dev
5

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may lead to denial of service and other
security problems. The Common Vulnerabilities and Exposures project
identifies the following problems:

  • CVE-2008-3655
    Keita Yamaguchi discovered that several safe level restrictions
    are insufficiently enforced.
  • CVE-2008-3656
    Christian Neukirchen discovered that the WebRick module uses
    inefficient algorithms for HTTP header splitting, resulting in
    denial of service through resource exhaustion.
  • CVE-2008-3657
    It was discovered that the dl module doesn’t perform taintness
    checks.
  • CVE-2008-3790
    Luka Treiber and Mitja Kolsek discovered that recursively nested
    XML entities can lead to denial of service through resource
    exhaustion in rexml.
  • CVE-2008-3905
    Tanaka Akira discovered that the resolv module uses sequential
    transaction IDs and a fixed source port for DNS queries, which
    makes it more vulnerable to DNS spoofing attacks.

For the stable distribution (etch), these problems have been fixed in
version 1.9.0+20060609-1etch3. Packages for arm will be provided later.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.2-6.

We recommend that you upgrade your ruby1.9 packages.

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C