Gentoo Logo

Ruby: Denial of Service issue

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200411-23 / Ruby
Release Date November 16, 2004
Latest Revision November 16, 2004: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-lang/ruby < 1.8.2_pre3 revision >= 1.6.8-r12, >= 1.8.2_pre3 All supported architectures

Related bugreports: #69985

Synopsis

The CGI module in Ruby can be sent into an infinite loop, resulting in a Denial of Service condition.

2.  Impact Information

Background

Ruby is an interpreted scripting language for quick and easy object-oriented programming. Ruby's CGI module can be used to build web applications.

Description

Ruby's developers found and fixed an issue in the CGI module that can be triggered remotely and cause an infinite loop.

Impact

A remote attacker could trigger the vulnerability through an exposed Ruby web application and cause the server to use unnecessary CPU resources, potentially resulting in a Denial of Service.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Ruby 1.6.x users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.6.8-r12"

All Ruby 1.8.x users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.2_pre3"

4.  References



Print

Page updated November 16, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.