[Bug 218658] New: Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack(CVE-2006-5467)
https://bugzilla.novell.com/show_bug.cgi?id=218658 Summary: Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack(CVE- 2006-5467) Product: openSUSE 10.2 Version: Beta 1 Platform: All OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Development AssignedTo: pth@novell.com ReportedBy: takezou040728@yahoo.co.jp QAContact: qa@suse.de The vulnerability exists in ruby(ruby-1.8.5-7) of openSUSE 10.2beta1. #[Confirm method] # cat /usr/lib/ruby/1.8/cgi.rb|grep c.nil # if c.nil? [Patch for ruby 1.8 faction:] http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch [Announcement] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467 http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html http://www.ruby-lang.org/ja/news/2006/11/02/CVE-2006-5467/ --- (in japanese) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218658 mrueckert@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #1 from mrueckert@novell.com 2006-11-07 05:46 MST ------- the next sync should have it: [[[ ------------------------------------------------------------------- Mon Oct 30 18:37:50 CET 2006 - mrueckert@suse.de - added cgi_multipart_eof_fix.patch: fix for a denial of service condition in cgi.rb CVE-2006-5467 (#214916) ------------------------------------------------------------------- ]]] -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218658 ------- Comment #2 from takezou040728@yahoo.co.jp 2006-11-13 02:25 MST ------- I think that the problem was fixed of the ruby in openSUSE 10.2beta2. ## get ruby-1.8.5-12.i586.rpm(of openSUSE 10.2beta2) $ rpm2cpio ruby-1.8.5-12.i586.rpm| cpio -id; $ cat usr/lib/ruby/1.8/cgi.rb | grep c.nil if c.nil? || c.empty? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com