-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ____________________________________________________________________________
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2006.040 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2006.040 Advisory Published: 2006-12-21 10:44 UTC Issue Id (internal): OpenPKG-SI-20061221 Issue First Created: 2006-12-21 Issue Last Modified: 2006-12-21 Issue Revision: 05 ____________________________________________________________________________ Subject Name: Ruby Subject Summary: Programming Language Subject Home: http://www.ruby-lang.org/ Subject Versions: * < 1.8.5-p2 Vulnerability Id: CVE-2006-6303 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service Description: As confirmed by the vendor [0], a Denial of Service (DoS) vulnerability exists in the programming language Ruby [1], versions before 1.8.5-p2. The "read_multipart" function in the Ruby CGI library ("cgi.rb") does not properly detect boundaries in MIME "multipart" content, which allows remote attackers to cause an infinite loop via specially crafted HTTP requests. Notice that this issue is not the same as CVE-2006-5467 (reported in OpenPKG-SA-2006.030). References: [0] http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/ [1] http://www.ruby-lang.org/ ____________________________________________________________________________ Primary Package Name: ruby Primary Package Home: http://openpkg.org/go/package/ruby Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID ruby-1.8.5-E1.0.2 OpenPKG Community CURRENT ruby-1.8.5p2-20061204 ____________________________________________________________________________ For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document. ____________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG GmbH <http://openpkg.com/> iD8DBQFFileEZwQuyWG3rjQRAk38AJ9qLpm6jGFNsihGolInP3cISEUhQACgwOxc gPjn4lFUDpWQMR+Bly+zkWI= =dHjJ -----END PGP SIGNATURE----- ______________________________________________________________________ The OpenPKG Project www.openpkg.org Project Announcement List openpkg-announce@openpkg.org
