[OpenPKG-SA-2006.030] OpenPKG Security Advisory (ruby)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [OpenPKG-SA-2006.030] OpenPKG Security Advisory (ruby)
From: OpenPKG <openpkg@xxxxxxxxxxx>
Date: Sat, 4 Nov 2006 14:27:04 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: The OpenPKG Project, http://www.openpkg.org/
Reply-to: openpkg@xxxxxxxxxxx
User-agent: Mutt/1.5.11 OpenPKG/2-STABLE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                                   OpenPKG GmbH
http://openpkg.org/security/                          http://openpkg.com
OpenPKG-SA-2006.030                                           2006-11-04
________________________________________________________________________

Package:          ruby
Vulnerability:    denial of service
OpenPKG Specific: no

Affected Series:  Affected Packages:      Corrected Packages:
E1.0-SOLID        <= ruby-1.8.5-E1.0.0     >= ruby-1.8.5-E1.0.1
2-STABLE-20061018 <= ruby-1.8.5-2.20061020 >= ruby-1.8.5-2.20061104
2-STABLE          <= ruby-1.8.5-2.20061020 >= ruby-1.8.5-2.20061104
CURRENT           <= ruby-1.8.5-20061013   >= ruby-1.8.5-20061104

Description:
  According to a vendor security information [0], a Denial of Service
  (DoS) vulnerability exists in the CGI library of the programming
  language Ruby [1], versions up to and including 1.8.5. The problem
  is triggered by sending the library an HTTP request that uses
  multipart MIME encoding and has an invalid boundary specifier that
  begins with "-" instead of "--". Once triggered it will exhaust all
  available memory resources effectively creating a DoS condition. The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CVE-2006-5467 [2] to the problem.
________________________________________________________________________

References:
  [0] http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/
  [1] http://www.ruby-lang.org/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) which
you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the
instructions on http://openpkg.org/security/signatures/ for details on
how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQFFTJUbgHWT4GPEy58RAiXhAJ9Qiqy8qrAxORe4GRcko/HlXgIDzQCfWZ6f
8sWeGvX/VB6qb8FDAHM/6kg=
=Axmg
-----END PGP SIGNATURE-----

Prev by Date: [USN-376-1] imlib2 vulnerabilities
Next by Date: Re: Internet Explorer 7 - Still Spyware Writers' Heaven
Previous by thread: [USN-376-1] imlib2 vulnerabilities
Next by thread: MajorSecurity Advisory #31]Xenis.creator CMS - Multiple Cross Site Scripting and SQL Injection Issues
Index(es):
- Date
- Thread