Red Hat Bugzilla – Bug 470252
CVE-2008-4310 ruby: Incomplete fix for CVE-2008-3656
Last modified: 2008-12-17 04:01:09 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3656 to
the following vulnerability:
Algorithmic complexity vulnerability in WEBrick::HTTP::DefaultFileHandler in
WEBrick in Ruby 1.8.5 and earlier, 1.8.5 through 1.8.6-p286, 1.8.7 through
1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a
denial of service (CPU consumption) via a crafted HTTP request that is
processed by a backtracking regular expression.
Vincent Danen from LinSec discovered the original patch for this flaw, provided by Red Hat, did not properly address this flaw.
Created attachment 322718 [details]
Proper patch to address CVE-2008-4310 issue.
removing embargo ready for us to push an update to correct this issue.
Further details about this issue can be found here:
This issue was addressed in:
Red Hat Enterprise Linux: