This is the mail archive of the
cygwin
mailing list for the Cygwin project.
[ANNOUNCEMENT] Updated: ruby-1.8.5-2
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Sun, 12 Nov 2006 11:07:26 +0100
- Subject: [ANNOUNCEMENT] Updated: ruby-1.8.5-2
- Reply-to: cygwin at cygwin dot com
I have updated the version of ruby on cygwin.com to 1.8.5-2.
This is a security update. It fixes a DOS vulnerability as described
in the official message:
=======================================================================
DoS Vulnerability in CGI Library
--------------------------------
A vulnerability has been discovered in the CGI library (cgi.rb) that
ships with Ruby which could be used by a malicious user to create a
denial of service attack (DoS). The problem is triggered by sending the
library an HTTP request that uses multipart MIME encoding and has an
invalid boundary specifier that begins with â??-â?? instead of â??--â??. Once
triggered it will exhaust all available memory resources effectively
creating a DoS condition.
Ruby 1.8.5 and all prior versions are vulnerable. This vulnerability is
open to the public as CVE-2006-5467.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467
Vulnerable Versions
--------------------
1.8 series
1.8.5 and all prior versions
Development version (1.9 series)
All versions before 2006-09-23
Solution
--------
1.8 series
Please apply the patch after you update to Ruby 1.8.5:
* CGI DoS Patch (367 bytes; md5sum: 9d25f59d1c33a0b215f6c25260dcb536)
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch
Please note that a package that corrects this weakness may already
be available through your package management software.
Development version (1.9 series)
Please update your Ruby to a version after September 23, 2006.
References
----------
* [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack
http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
=======================================================================
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page. This downloads setup.exe to your
system. Then, run setup and answer all of the questions.
*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there. It will be in the format:
cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com
If you need more information on unsubscribing, start reading here:
http://sources.redhat.com/lists.html#unsubscribe-simple
Please read *all* of the information on unsubscribing that is available
starting at the above URL.
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/