Posted by maki on 3 Nov 2006
A vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and has an invalid boundary specifier that begins with “-” instead of “–”. Once triggered it will exhaust all available memory resources effectively creating a DoS condition.
Ruby 1.8.5 and all prior versions are vulnerable. This vulnerability is open to the public as CVE-2006-5467.
Vulnerable Versions
- 1.8 series
- 1.8.5 and all prior versions
- Development version (1.9 series)
- All versions before 2006-09-23
Solution
- 1.8 series
- Please apply the patch after you update to Ruby 1.8.5:
- CGI DoS Patch (367 bytes; md5sum: 9d25f59d1c33a0b215f6c25260dcb536)
Please note that a package that corrects this weakness may already be available through your package management software.
- Development version (1.9 series)
- Please update your Ruby to a version after September 23, 2006.