[OpenPKG-SA-2006.030] OpenPKG Security Advisory (ruby)

Type securityvulns
Reporter Securityvulns
Modified 2006-11-05T00:00:00



OpenPKG Security Advisory OpenPKG GmbH http://openpkg.org/security/ http://openpkg.com OpenPKG-SA-2006.030 2006-11-04

Package: ruby Vulnerability: denial of service OpenPKG Specific: no

Affected Series: Affected Packages: Corrected Packages: E1.0-SOLID <= ruby-1.8.5-E1.0.0 >= ruby-1.8.5-E1.0.1 2-STABLE-20061018 <= ruby-1.8.5-2.20061020 >= ruby-1.8.5-2.20061104 2-STABLE <= ruby-1.8.5-2.20061020 >= ruby-1.8.5-2.20061104 CURRENT <= ruby-1.8.5-20061013 >= ruby-1.8.5-20061104

Description: According to a vendor security information [0], a Denial of Service (DoS) vulnerability exists in the CGI library of the programming language Ruby [1], versions up to and including 1.8.5. The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and has an invalid boundary specifier that begins with "-" instead of "--". Once triggered it will exhaust all available memory resources effectively creating a DoS condition. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-5467 [2] to the problem.

References: [0] http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/ [1] http://www.ruby-lang.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467

For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) which you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the instructions on http://openpkg.org/security/signatures/ for details on how to verify the integrity of this advisory.

-----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org>

iD8DBQFFTJUbgHWT4GPEy58RAiXhAJ9Qiqy8qrAxORe4GRcko/HlXgIDzQCfWZ6f 8sWeGvX/VB6qb8FDAHM/6kg= =Axmg -----END PGP SIGNATURE-----