Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3656 to the following vulnerability: Algorithmic complexity vulnerability in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.5 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression. Refences: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401 http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ Vincent Danen from LinSec discovered the original patch for this flaw, provided by Red Hat, did not properly address this flaw.
Created attachment 322718 [details] Proper patch to address CVE-2008-4310 issue.
removing embargo ready for us to push an update to correct this issue.
Further details about this issue can be found here: http://www.openwall.com/lists/oss-security/2008/12/04/2
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0981.html