Updated: ruby-1.8.5-2

Corinna Vinschen corinna-cygwin@cygwin.com
Sun Nov 12 11:18:00 GMT 2006 

I have updated the version of ruby on cygwin.com to 1.8.5-2.

This is a security update.  It fixes a DOS vulnerability as described
in the official message:

=======================================================================
DoS Vulnerability in CGI Library
--------------------------------

A vulnerability has been discovered in the CGI library (cgi.rb) that
ships with Ruby which could be used by a malicious user to create a
denial of service attack (DoS). The problem is triggered by sending the
library an HTTP request that uses multipart MIME encoding and has an
invalid boundary specifier that begins with “-” instead of “--”. Once
triggered it will exhaust all available memory resources effectively
creating a DoS condition.

Ruby 1.8.5 and all prior versions are vulnerable. This vulnerability is
open to the public as CVE-2006-5467.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467

Vulnerable Versions
--------------------
1.8 series
  1.8.5 and all prior versions

Development version (1.9 series)
  All versions before 2006-09-23

Solution
--------
1.8 series
  Please apply the patch after you update to Ruby 1.8.5:

    * CGI DoS Patch (367 bytes; md5sum: 9d25f59d1c33a0b215f6c25260dcb536)
    http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch

  Please note that a package that corrects this weakness may already
  be available through your package management software. 

Development version (1.9 series)
  Please update your Ruby to a version after September 23, 2006.

References
----------
  * [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack
  http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
=======================================================================


To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available  
starting at the above URL.

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

More information about the Cygwin-announce mailing list