Debian 4.0: DSA-1652-1 Critical: Denial Of Service Risks In Ruby 1.9
debian
October 12, 2008
Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may lead to denial of service and other
security problems.
Summary
Keita Yamaguchi discovered that several safe level restrictions
are insufficiently enforced.
CVE-2008-3656
Christian Neukirchen discovered that the WebRick module uses
inefficient algorithms for HTTP header splitting, resulting in
denial of service through resource exhaustion.
CVE-2008-3657
It was discovered that the dl module doesn't perform taintness
checks.
CVE-2008-3790
Luka Treiber and Mitja Kolsek discovered that recursively nested
XML entities can lead to denial of service through resource
exhaustion in rexml.
CVE-2008-3905
Tanaka Akira discovered that the resolv module uses sequential
transaction IDs and a fixed source port for DNS queries, which
makes it more vulnerable to DNS spoofing attacks.
For the stable distribution (etch), these problems have been fixed in
version 1.9.0+20060609-1etch3. Packages for arm will be provided later.
For the unstable distribution (sid), these problems have been fixed in
version...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!