Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Ruby: Denial of Service issue — GLSA 200411-23

The CGI module in Ruby can be sent into an infinite loop, resulting in a Denial of Service condition.

Affected packages

Package dev-lang/ruby on all architectures
Affected versions < 1.8.2_pre3
Unaffected versions revision >= 1.6.8-r12
>= 1.8.2_pre3

Background

Ruby is an interpreted scripting language for quick and easy object-oriented programming. Ruby's CGI module can be used to build web applications.

Description

Ruby's developers found and fixed an issue in the CGI module that can be triggered remotely and cause an infinite loop.

Impact

A remote attacker could trigger the vulnerability through an exposed Ruby web application and cause the server to use unnecessary CPU resources, potentially resulting in a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All Ruby 1.6.x users should upgrade to the latest version: 

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.6.8-r12"

All Ruby 1.8.x users should upgrade to the latest version: 

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.2_pre3"

References

Release date
November 16, 2004

Latest revision
November 16, 2004: 01

Severity
normal

Exploitable
remote

Bugzilla entries