Posted by Shugo Maeda on 4 Dec 2006
Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS).
This vulnerability is open to the public as JVN#84798830.
Please note that the previous patch (<URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch>) does not fix this problem.
Impact
A specific HTTP request for any web application using cgi.rb causes CPU consumption on the machine on which the web application is running. Many such requests result in a denial of service.
Vulnerable versions
- 1.8 series
- 1.8.5 and all prior versions
- Development version (1.9 series)
- All versions before 2006-12-04
Solution
- 1.8 series
-
Please upgrade to 1.8.5-p2.
<URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz> (4519151 bytes, md5sum: a3517a224716f79b14196adda3e88057)
Please note that a package that corrects this weakness may already be available through your package management software.
- Development version (1.9 series)
- Please update your Ruby to a version after 2006-12-04.