A possible denial of service attack in the XML processing in Active Support has been reported. Specially crafted XML documents can cause applications to raise a `SystemStackError` and potentially cause a denial of service attack. This only impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted. Workarounds ----------- Use an XML parser that is not impacted by this problem, such as Nokogiri or LibXML. You can change the processor like this: ActiveSupport::XmlMini.backend = 'Nokogiri' If you cannot change XML parsers, then adjust `RUBY_THREAD_MACHINE_STACK_SIZE`. Patches that fix this issue attached. Acknowledgements: Red Hat would like to thank the Ruby upstream developers for reporting this issue. Upstream acknowledges Tomek Rabczak from the NCC Group, and Matthew Draper as the original reporters.
This is now public: http://seclists.org/oss-sec/2015/q2/731
Created attachment 1058046 [details] Patch for ActiveSupport 3.2
Created attachment 1058047 [details] Patch for ActiveSupport 4.1
Created attachment 1058049 [details] Patch for ActiveSupport 4.2
Created rubygem-activesupport tracking bugs for this issue: Affects: fedora-all [bug 1249062] Affects: epel-all [bug 1249063]