Bug 138366

Summary: CAN-2004-0983 Denial of Service in Ruby
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: rubyAssignee: Akira TAGOH <tagoh>
Status: CLOSED ERRATA QA Contact: Bill Huang <bhuang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: deisenst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20041103
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-11-11 05:07:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2004-11-08 16:38:49 UTC 
Upstream has fixed a denial of service issue in ruby.  The CGI module
could enter into an infinite loop if a specially crafted request is
sent to it.

This issue should also affect FC2.
Comment 1 Josh Bressers 2004-11-08 16:53:19 UTC 
attachment 106289 [details] contains the patch for this issue.
Comment 2 David Eisenstein 2004-11-10 04:49:07 UTC 
This issue appears to also affect FC1 (Legacy).  See 
  http://bugzilla.fedora.us/show_bug.cgi?id=2007
for our response to this.
Comment 3 Josh Bressers 2004-11-10 10:57:24 UTC 
This issue is not the same one covered by

http://bugzilla.fedora.us/show_bug.cgi?id=2007

That bug deals with insecure temporary files, this issue is a DoS. 
Both deal with the Ruby CGI layer though.
Comment 4 Akira TAGOH 2004-11-11 05:07:57 UTC 
should be fixed in 1.8.1-6.FC2.0 and 1.8.1-7.FC3.1