Ruby: Denial of Service issue — GLSA 200411-23

The CGI module in Ruby can be sent into an infinite loop, resulting in a Denial of Service condition.

Affected packages

Package 	dev-lang/ruby on all architectures
Affected versions 	< 1.8.2_pre3
Unaffected versions 	revision >= 1.6.8-r12
>= 1.8.2_pre3

Background

Ruby is an interpreted scripting language for quick and easy object-oriented programming. Ruby's CGI module can be used to build web applications.

Description

Ruby's developers found and fixed an issue in the CGI module that can be triggered remotely and cause an infinite loop.

Impact

A remote attacker could trigger the vulnerability through an exposed Ruby web application and cause the server to use unnecessary CPU resources, potentially resulting in a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All Ruby 1.6.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.6.8-r12"

All Ruby 1.8.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.2_pre3"

References

    CAN-2004-0983