oss-sec mailing list archives
Re: CVE Request (ruby)
From: Pınar Yanardağ <pinar () pardus org tr>
Date: Tue, 26 Aug 2008 11:46:03 +0300
Jan Lieskovsky wrote On 25-08-2008 16:20:
Hello Steve, Ruby upstream has announced another security flaw (DoS vulnerability in REXML module): http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ Test case available in part: "Impact". Proposed preliminary fix: http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb
There is an ongoing discussion on comp.lang.ruby about announcing this flaw more focused on Rails more than Ruby. [1] I am agree the majority of vulnerable apps are Rails' but there is still no update for Ruby's standart library in 3 days, though.
[1]: http://groups.google.com/group/comp.lang.ruby/browse_thread/thread/19f69e8a081fc0d1/e138e014b74352ca?#e138e014b74352ca
Testing status: REXML parsing of provided *.xml file causes 100% cpu usage for about 1 and 1/4 minutes (checked the ruby-1.8.5-5.5 case). Could you please assign a CVE id for it? Thank you in advance. Kind regards Jan iankko Lieskovsky RH Security Response Team
Regards, -- Pınar Yanardağ http://pinguar.org
Current thread:
- CVE Request (ruby) Jan Lieskovsky (Aug 25)
- Re: CVE Request (ruby) Pınar Yanardağ (Aug 26)
- Re: CVE Request (ruby) Steven M. Christey (Aug 26)