oss-sec mailing list archives
Re: CVE request: 3 DoS conditions in Rake
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 14 Jan 2013 18:53:16 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2013 05:20 PM, Vincent Danen wrote:
Three issues were noted in recent release of upstream Rake. All are DoS issues. From https://bugzilla.redhat.com/show_bug.cgi?id=895277 (2 issues): Upstream released [1] Rack 1.4.2, 1.3.7, 1.2.6, and 1.1.4 to fix a denial of service condition when Rack parses content with a certain Content-Disposition header as noted in the original report [2]. This has been fixed in git [3].
Please use CVE-2012-6109 for this issue (fixed in Rack 1.4.2 and so on)
Additionally, a second flaw that was fixed in 1.4.4, 1.3.9, 1.2.7, and 1.1.5 was also announced [4] that creates a minor denial of service condition, this time in the Rack::Auth::AbstractRequest, where it symbolized arbitrary strings (apparently this has something to do with authentication, but there is no further information provided other than the fix [5] itself, which is noted as "a breaking API change").
Please use CVE-2013-0184 for this issue (fixed in Rack 1.4.4 and so on)
[1] http://rack.github.com/ [2] https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ
[3]
https://github.com/rack/rack/commit/4fc44671b3cad569421f4f8b775c0590b86f575e [4] https://groups.google.com/forum/#!topic/rack-devel/ImYOqcGiksw/discussion
[5]
https://github.com/rack/rack/commit/0c76175fcccad74ba2f991c487d3669c28a297c8
=====================
And from https://bugzilla.redhat.com/show_bug.cgi?id=895282:
Upstream released [1] Rack 1.4.3 and 1.3.8 to fix a denial of service condition due to a malicious client sending excessively long lines that trigger an out-of-memory error in Rack. This has been fixed in git [2].
Please use CVE-2013-0183 for this issue (fixed in Rack 1.4.3 and so on)
[1] https://groups.google.com/forum/#!topic/rack-devel/-MWPHDeGWtI/discussion
[2]
https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18
Please
use CVE-2012-6109 for this issue (fixed in Rack 1.4.2, released in 2012 so 2012 CVE)
Could three CVEs be assigned for these issues please? Thanks.
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ9LaMAAoJEBYNRVNeJnmTmV0P/ihQNH1ta7ju4e5QvkhV2AQT k+AlM+tyrS8lIFQ5ywrydnKUPemm/LSh3mFyMnqG2JxYR4B9aooC86VBoR8il/wF a3UJv4nlmqOCXY4v+px7YoCcsIUK5saf5NGTsdCG3oej+d2xgpiVdVvZoD9dx9Ih RN42/KhPJzGE+s/Mi5DTz2IVVG/s1Egu7UlEM8ySwWyHCLQhIITccidR54dwbla5 ATOAx23WDeVTG35vvgMPXVZUgzHl6fg2n027ZTQrLABuYZ7dDKM5aspI1f2lLPoc bli6bIveH2XPoMME+E39gYcWktF5E+Mocoks1QlAzULJOZiABZKj5lnVE41mbFOm 2oUljrZ0b2LWwXMAnfCW6xzWDUFmFiUe/Yu8AS/6X4uPSJ9Wrkq6arOjzm6sEEP+ 7efhPvPnY/zPDzOJAAG+ggGvBxKd1iWWzimg1pMwrXyEuEwWSnxlfTguWGRqC1f0 CBFsLqdMUgY4+DxyJYhZCfnhYzUjve1fPBLm/U6ADDxvWliNVFyyW8QXAHNYOUG4 /3NIKWYhMt/9clV7DtdV38w5/sp+uHdooPAKhpv2ZZ7n/M1mEBlfjHoG0+OPfYVh jJcxfaF08gM67XaT6poyRzsna7kTZbCmUotMFuPKfHxq/ikuKEF53NEG0ahFa4Kh tucpKur4ikJaT5hMixng =n42W -----END PGP SIGNATURE-----
Current thread:
- CVE request: 3 DoS conditions in Rake Vincent Danen (Jan 14)
- Re: CVE request: 3 DoS conditions in Rake Kurt Seifried (Jan 14)