lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041108235907.GA12860@box79162.elkhouse.de>
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-20-1] Ruby CGI module vulnerability

===========================================================
Ubuntu Security Notice USN-20-1		  November 08, 2004
ruby1.8 vulnerability
CAN-2004-0983
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

libruby1.8

The problem can be corrected by upgrading the affected package to
version 1.8.1+1.8.2pre2-3ubuntu0.1.  In general, a standard system
upgrade is sufficient to effect the necessary changes.

Details follow:

The Ruby developers discovered a potential Denial of Service
vulnerability in the CGI module (cgi.rb). Specially crafted CGI
requests could cause an infinite loop in the server process.
Repetitive attacks could use most of the available processor
resources, exhaust the number of allowed parallel connections in web
servers, or cause similar effects which render the service
unavailable.

There is no possibility of privilege escalation or data loss.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1.diff.gz
      Size/MD5:   154532 1dcd316b06a834954605df0deed4c453
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1.dsc
      Size/MD5:     1409 a1206a0996d2fdb4fa78b71b693441b8
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2.orig.tar.gz
      Size/MD5:  3438795 2a03d56781fb19e5dd967b0d5b394f84

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/irb1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   127124 47713b6573c231e8747d70e2d678aaa8
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdrb-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   109546 2482d7aaf3cf3667cf845031e7f5189f
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/liberb-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:    89832 24e98c22e0741d8a659af81531d04409
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/librexml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   146972 b70925fc83163a012c1f27b70965faa2
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsoap-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   189584 9b53c73b868f11cab316cb7c0b0cbd15
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtest-unit-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   112508 9939df04e4b4e3383f9e28936cdd6c6f
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libwebrick-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   116840 f4a2d4ee42cdc077608a25c6c9d94728
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libxmlrpc-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   107662 1ed738fca18dd8ac509bf318b3bf37af
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/rdoc1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   192440 af01ccaedfd64aad1f96177f70cb3156
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ri1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   394190 945aca9d100d6075aabf81f0da361667
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-elisp_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   103238 8f00a69ea8d04150ddd8106671b93954
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-examples_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
      Size/MD5:   113754 e68ac077d3457ddffaaa84e481071adb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   131312 99b352ce726a5376916ff6f09b99e4c1
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   103402 3d8a3ca07f474a3af05cf0fce286be1a
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:    96124 bb1eae22c1f21bfc35f204fbfb427138
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   129770 03fa01fe881752aca95f18012fd4d6fc
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:    97416 1c775725fffc21dec349217fcd4b00c2
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:    91694 333587c6f1c7b7c91fb43b30d03602a9
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   190926 ca87b1f191470a6ca3fc6733f54c5983
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:    94970 55293650c8a128d773efe6a92a4f2082
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:    94574 ade3c66237142ba72b6b2685595e2bc4
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:    93370 13de3819eb2a9652ca6ce038bdaf4447
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   728458 d9fdf6f4becb47777b76fe7f4b87785c
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   809504 7da728bbb5b3782d323a0eb7fea0f669
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:    98894 989928af2bda225dee27693f29c9e835
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:    92400 3af34c09e7bbbd65336bc55bace2e22a
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:    92590 545264204f06cf7a52134706f2a38e4f
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   145660 5496df2ba8aca5312820cb18e0784cd6
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:  1096638 5f9b56bae8312c5023aac9f5247794bd
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   140020 a739a60d1c2de48731e71d012c7ab18d
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   108120 0e764e6f7b6b96723c01a0a79671059c
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   599284 30ff238b3366e2555ca00483e032def9
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
      Size/MD5:   109448 51b270967263415ebc3d9b9bc927358c

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   129206 60667d2be537f68b17f69570eaf4d746
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   101394 1d580d5d592f426b2fc74ce1cc463733
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:    95564 cbec29631786e7b4b9a666cdf279a044
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   126348 6c058848fe986342b1a51b60f7f38f80
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:    96558 07c503edf754b51dcda3de72769f65e5
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:    91224 f7df49d19c5c5d414e29b12583a6e197
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   179360 4a2d34ec98a92c88b3463677855877c2
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:    94592 2dace8548aeb8cb4ddbe156573d8927b
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:    93964 604b5eb4f824657b6bb695996ec63df3
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:    92422 e71e8b42949b52c45b10ce3614137173
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   690170 2561856a920b1c029e2af4794c7d4d5a
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   766574 29b5152da166977c890081b95c5cd859
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:    98114 6971ec46fa4b59eb1c4e2baa6fc890b6
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:    91328 874d6256a9ed6a11ddea3c78368e158e
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:    91928 e57da8820376a0f0ffd5fa97ab0221a8
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   142242 87b2e475c3c55979a588edd5e33cc14a
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:  1094812 7336120abc04f42e72a14902746cecab
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   137480 202885d406676612ae22e16ffac34e08
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   106292 9624bdd99891364e7f6d8ab9ae83f935
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   558790 3d59dcb654f045b271aa9735338ccdab
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
      Size/MD5:   109206 c90db6b257d4a59e236e9a76ee5a79ac

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   134198 fa7d020440dd1901626e6158ffa90eea
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   104538 a1ec11bc23f7aa3e381a05ba58c7aa9a
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:    97348 52bdae5c2972f665ee0a8eb0bcc33721
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   128224 8d3970133dc0acbe6899cbe11ec05299
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:    98418 f83631a64680305b90be3c9bb811965b
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:    92976 5c73fdbe800f82ec565bc9f60dd67a07
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   182614 133e29e51b4e50ecd15b9b1a36e075b4
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:    96284 f09e0b24510561576dd44a4b1eec3ef6
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:    95864 6c1b2eefcac7393ddb5c7378287ff4ed
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:    94440 f56663bde33f16d1532fff1f23a27c99
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   716090 f124e8b8be0871cfba95ec10741b6639
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   813948 881c7ba6aa0439704438e1efd2fe668f
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   100228 a993100028c0ae30b9c17c1accec3999
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:    93620 114bee8f2efe6e21c0e1b06edf422587
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:    94212 355de064aa58dd7f9a55d50360031514
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   144800 34f778b675574a0f4c8dcf7ab45fc2ad
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:  1097960 83bf1f822045ad2178db6a9c5f8329ca
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   137830 c08440088b5a7b040719911f1fd73879
    http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   108762 e119c88784a24b031b0de652e23a2d44
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   571562 8d78a2deb75c067c8f3a575522495b0f
    http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
      Size/MD5:   111136 7bb33b79e64b4c461d01ea75353278f4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041109/aac4e9ec/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ