This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[ANNOUNCEMENT] Updated: ruby-1.8.5-2

I have updated the version of ruby on to 1.8.5-2.

This is a security update.  It fixes a DOS vulnerability as described
in the official message:

DoS Vulnerability in CGI Library

A vulnerability has been discovered in the CGI library (cgi.rb) that
ships with Ruby which could be used by a malicious user to create a
denial of service attack (DoS). The problem is triggered by sending the
library an HTTP request that uses multipart MIME encoding and has an
invalid boundary specifier that begins with â??-â?? instead of â??--â??. Once
triggered it will exhaust all available memory resources effectively
creating a DoS condition.

Ruby 1.8.5 and all prior versions are vulnerable. This vulnerability is
open to the public as CVE-2006-5467.

Vulnerable Versions
1.8 series
  1.8.5 and all prior versions

Development version (1.9 series)
  All versions before 2006-09-23

1.8 series
  Please apply the patch after you update to Ruby 1.8.5:

    * CGI DoS Patch (367 bytes; md5sum: 9d25f59d1c33a0b215f6c25260dcb536)

  Please note that a package that corrects this weakness may already
  be available through your package management software. 

Development version (1.9 series)
  Please update your Ruby to a version after September 23, 2006.

  * [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack

To update your installation, click on the "Install Cygwin now" link on
the web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.


If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

If you need more information on unsubscribing, start reading here:

Please read *all* of the information on unsubscribing that is available  
starting at the above URL.

Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]