FS#15047 - [ruby] DoS vulnerability in BigDecimal

Attached to Project: Arch Linux
Opened by kkl2401 (kkl2401) - Wednesday, 10 June 2009, 19:59 GMT
Last edited by Allan McRae (Allan) - Sunday, 14 June 2009, 09:21 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: I stumbled upon this: http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ It says that all 1.8.7 versions up to (and including) p160 (which is what is now in extra) are vulnerable. I haven't tried it myself though.
This task depends upon

Closed by  Allan McRae (Allan)
Sunday, 14 June 2009, 09:21 GMT
Reason for closing:  Fixed
Additional comments about closing:  ruby-1.8.7_p173-1
Comment by Brandon Martin (bmartin) - Thursday, 11 June 2009, 19:30 GMT
Here is the ftp link provided in the post for an updated version that is suppose to fix the problem.

ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p369.tar.gz
Comment by Greg (dolby) - Thursday, 11 June 2009, 21:20 GMT
ruby-1.9 is already in testing..
Comment by Brandon Martin (bmartin) - Thursday, 11 June 2009, 21:47 GMT
I know that 1.9 is in testing but the link I posted is a version bump of 1.8.6 that fixes the DoS vulnerablility.
Comment by Brandon Martin (bmartin) - Thursday, 11 June 2009, 21:48 GMT
I meant the post the link the 1.8.7 sorry.

ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p173.tar.gz

Loading...