[Full-disclosure] [PLSA 2008-35] Ruby: Denial of Service

From: PÄ±nar YanardaÄŸ <pinar_at_nospam>
Date: Mon Sep 01 2008 - 01:22:30 GMT
To: pardus-security@pardus.org.tr

Pardus Linux Security Advisory 2008-35 security@pardus.org.tr

Date: 2008-09-01 Severity: 3 Type: Remote ------------------------------------------------------------------------

Summary

A vulnerability has been reported in Ruby, which can be exploited by malicious people to cause a DoS (Denial of Service).

Description

The vulnerability is caused due to an error in the REXML library when processing recursively nested XML entities. This can be exploited to cause a DoS via a specially crafted XML document.

Note: This vulnerability found by Luka Treiber and Mitja Kolsek of ACROS Security.

Affected packages:

Pardus 2008: ruby, all before 1.8.7_p72-17-5 ruby-mode, all before 1.8.7_p72-17-5 Pardus 2007: ruby, all before 1.8.7_p72-17-14 ruby-mode, all before 1.8.7_p72-17-5

Resolution

There are update(s) for ruby, ruby-mode. You can update them via Package Manager or with a single command from console:

Pardus 2008:
pisi up ruby ruby-mode

Pardus 2007:
pisi up ruby ruby-mode

References

-- PÄ±nar YanardaÄŸ Pardus Security Team http://security.pardus.org.tr _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: Exibar: "Re: [Full-disclosure] [inbox] Monthly Hands-On Meetups"
Previous message: PÄ±nar YanardaÄŸ: "[Full-disclosure] [PLSA 2008-34] GNU ed: Heap Overflow"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]