Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 26 Aug 2008 11:46:03 +0300
From: Pınar YanardaÄ. <pinar@...dus.org.tr>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request (ruby)

Jan Lieskovsky wrote On 25-08-2008 16:20:
> Hello Steve,
>
>    Ruby upstream has announced another security flaw
> (DoS vulnerability in REXML module):
>
> http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
>
> Test case available in part: "Impact".
>
> Proposed preliminary fix: http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb
>    


There is an ongoing discussion on comp.lang.ruby about announcing this 
flaw more focused on Rails more than Ruby. [1] I am agree the majority 
of vulnerable apps are Rails' but there is still no update for Ruby's 
standart library in 3 days, though.

[1]: 
http://groups.google.com/group/comp.lang.ruby/browse_thread/thread/19f69e8a081fc0d1/e138e014b74352ca?#e138e014b74352ca

> Testing status: REXML parsing of provided *.xml file causes
>                  100% cpu usage for about 1 and 1/4 minutes
>                  (checked the ruby-1.8.5-5.5 case).
>
> Could you please assign a CVE id for it?
>
> Thank you in advance.
>
> Kind regards
> Jan iankko Lieskovsky
> RH Security Response Team
>
>    

Regards,

-- 
Pınar YanardaÄ.
http://pinguar.org

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux