[OpenPKG-SA-2006.030] OpenPKG Security Advisory (ruby)


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory OpenPKG GmbH http://openpkg.org/security/ http://openpkg.com OpenPKG-SA-2006.030 2006-11-04 ________________________________________________________________________ Package: ruby Vulnerability: denial of service OpenPKG Specific: no Affected Series: Affected Packages: Corrected Packages: E1.0-SOLID <= ruby-1.8.5-E1.0.0 >= ruby-1.8.5-E1.0.1 2-STABLE-20061018 <= ruby-1.8.5-2.20061020 >= ruby-1.8.5-2.20061104 2-STABLE <= ruby-1.8.5-2.20061020 >= ruby-1.8.5-2.20061104 CURRENT <= ruby-1.8.5-20061013 >= ruby-1.8.5-20061104 Description: According to a vendor security information [0], a Denial of Service (DoS) vulnerability exists in the CGI library of the programming language Ruby [1], versions up to and including 1.8.5. The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and has an invalid boundary specifier that begins with "-" instead of "--". Once triggered it will exhaust all available memory resources effectively creating a DoS condition. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-5467 [2] to the problem. ________________________________________________________________________ References: [0] http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/ [1] http://www.ruby-lang.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467 ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) which you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the instructions on http://openpkg.org/security/signatures/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org> iD8DBQFFTJUbgHWT4GPEy58RAiXhAJ9Qiqy8qrAxORe4GRcko/HlXgIDzQCfWZ6f 8sWeGvX/VB6qb8FDAHM/6kg= =Axmg -----END PGP SIGNATURE-----