OpenPKG Security Advisory
OpenPKG-SA-2006.040
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2006.040 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2006.040 Advisory Published: 2008-08-07 22:04 UTC Issue Id (internal): OpenPKG-SI-20061221.01 Issue First Created: 2006-12-21 Issue Last Modified: 2007-04-13 Issue Revision: 08
Subject Name: Ruby Subject Summary: Programming Language Subject Home: http://www.ruby-lang.org/ Subject Versions: * < 1.8.5-p2 Vulnerability Id: CVE-2006-6303 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service Description: As confirmed by the vendor [0], a Denial of Service (DoS) vulnerability exists in the programming language Ruby [1], versions before 1.8.5-p2. The "read_multipart" function in the Ruby CGI library ("cgi.rb") does not properly detect boundaries in MIME "multipart" content, which allows remote attackers to cause an infinite loop via specially crafted HTTP requests. Notice that this issue is not the same as CVE-2006-5467 (reported in OpenPKG-SA-2006.030). References: [0] http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/ [1] http://www.ruby-lang.org/
Primary Package Name: ruby Primary Package Home: http://openpkg.org/go/package/ruby Affected Distribution: Affected Branch: Affected Package: OpenPKG Enterprise E1.0-SOLID ruby-1.8.5-E1.0.1 OpenPKG Community 2-STABLE-20061018 ruby-1.8.5-2.20061104 OpenPKG Community 2-STABLE ruby-1.8.5-2.20061104 OpenPKG Community CURRENT ruby-1.8.5-20061104 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID ruby-1.8.5-E1.0.2 OpenPKG Community 2-STABLE-20061018 pending OpenPKG Community 2-STABLE pending OpenPKG Community CURRENT ruby-1.8.5p2-20061204
