Bug 218287 (CVE-2006-6303)
| Summary: | CVE-2006-6303 ruby's cgi.rb vulnerable infinite loop DoS | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Red Hat Product Security <security-response-team> | ||||
| Component: | vulnerability | Assignee: | Akira TAGOH <tagoh> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Bill Huang <bhuang> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | eng-i18n-bugs, kreilly | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/ | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-07-21 09:31:15 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 320371, 320381, 451930, 451931 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Lubomir Kundrak
2006-12-04 14:09:50 UTC
Created attachment 142732 [details]
Upstream patch for ruby cgi.rb DoS
Is this worth being called a security issue? Josh pointed out that ruby has a built-in webserver. What happens to the CGI when a client connection times-out there, does it allways get killed? If you are referring to Webrick, it doesn't use CGI class that has fixed this time. and whether or not CGI is killed depends on the implementation of the webserver, anyway. cgi.rb can be usually used in just a CGI script as usual and embedded Ruby script in html too. Fixed in 1.8.1-7.el4.9. Upstream advisory and patch: http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/ http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=11330 This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0961.html http://rhn.redhat.com/errata/RHSA-2008-0562.html Reporter changed to security-response-team by request of Jay Turner. |