[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OpenPKG-SA-2006.030@openpkg.org>
Date: Sat, 4 Nov 2006 14:27:04 +0100
From: OpenPKG <openpkg@...npkg.org>
To: bugtraq@...urityfocus.com
Subject: [OpenPKG-SA-2006.030] OpenPKG Security Advisory (ruby)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory OpenPKG GmbH
http://openpkg.org/security/ http://openpkg.com
OpenPKG-SA-2006.030 2006-11-04
________________________________________________________________________
Package: ruby
Vulnerability: denial of service
OpenPKG Specific: no
Affected Series: Affected Packages: Corrected Packages:
E1.0-SOLID <= ruby-1.8.5-E1.0.0 >= ruby-1.8.5-E1.0.1
2-STABLE-20061018 <= ruby-1.8.5-2.20061020 >= ruby-1.8.5-2.20061104
2-STABLE <= ruby-1.8.5-2.20061020 >= ruby-1.8.5-2.20061104
CURRENT <= ruby-1.8.5-20061013 >= ruby-1.8.5-20061104
Description:
According to a vendor security information [0], a Denial of Service
(DoS) vulnerability exists in the CGI library of the programming
language Ruby [1], versions up to and including 1.8.5. The problem
is triggered by sending the library an HTTP request that uses
multipart MIME encoding and has an invalid boundary specifier that
begins with "-" instead of "--". Once triggered it will exhaust all
available memory resources effectively creating a DoS condition. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CVE-2006-5467 [2] to the problem.
________________________________________________________________________
References:
[0] http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/
[1] http://www.ruby-lang.org/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@...npkg.org>" (ID 63C4CB9F) which
you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the
instructions on http://openpkg.org/security/signatures/ for details on
how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@...npkg.org>
iD8DBQFFTJUbgHWT4GPEy58RAiXhAJ9Qiqy8qrAxORe4GRcko/HlXgIDzQCfWZ6f
8sWeGvX/VB6qb8FDAHM/6kg=
=Axmg
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists