| www.delorie.com/archives/browse.cgi | search |
| X-Spam-Check-By: | sourceware.org |
| Date: | Sun, 12 Nov 2006 11:07:26 +0100 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | [ANNOUNCEMENT] Updated: ruby-1.8.5-2 |
| Message-Id: | <announce.20061112100726.GC11304@calimero.vinschen.de> |
| Mime-Version: | 1.0 |
| User-Agent: | Mutt/1.4.2i |
| Reply-To: | cygwin AT cygwin DOT com |
| X-Mailer: | Perl5 Mail::Internet v1.74 |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
I have updated the version of ruby on cygwin.com to 1.8.5-2.
This is a security update. It fixes a DOS vulnerability as described
in the official message:
=======================================================================
DoS Vulnerability in CGI Library
--------------------------------
A vulnerability has been discovered in the CGI library (cgi.rb) that
ships with Ruby which could be used by a malicious user to create a
denial of service attack (DoS). The problem is triggered by sending the
library an HTTP request that uses multipart MIME encoding and has an
invalid boundary specifier that begins with “-” instead of “--”. Once
triggered it will exhaust all available memory resources effectively
creating a DoS condition.
Ruby 1.8.5 and all prior versions are vulnerable. This vulnerability is
open to the public as CVE-2006-5467.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467
Vulnerable Versions
--------------------
1.8 series
1.8.5 and all prior versions
Development version (1.9 series)
All versions before 2006-09-23
Solution
--------
1.8 series
Please apply the patch after you update to Ruby 1.8.5:
* CGI DoS Patch (367 bytes; md5sum: 9d25f59d1c33a0b215f6c25260dcb536)
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch
Please note that a package that corrects this weakness may already
be available through your package management software.
Development version (1.9 series)
Please update your Ruby to a version after September 23, 2006.
References
----------
* [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack
http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
=======================================================================
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page. This downloads setup.exe to your
system. Then, run setup and answer all of the questions.
*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there. It will be in the format:
cygwin-announce-unsubscribe-you=yourdomain DOT com AT cygwin DOT com
If you need more information on unsubscribing, start reading here:
http://sources.redhat.com/lists.html#unsubscribe-simple
Please read *all* of the information on unsubscribing that is available
starting at the above URL.
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
| webmaster | delorie software privacy |
| Copyright 2019 by DJ Delorie | Updated Jul 2019 |