This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[ANNOUNCEMENT] Updated: ruby-1.8.5-2


I have updated the version of ruby on cygwin.com to 1.8.5-2.

This is a security update.  It fixes a DOS vulnerability as described
in the official message:

=======================================================================
DoS Vulnerability in CGI Library
--------------------------------

A vulnerability has been discovered in the CGI library (cgi.rb) that
ships with Ruby which could be used by a malicious user to create a
denial of service attack (DoS). The problem is triggered by sending the
library an HTTP request that uses multipart MIME encoding and has an
invalid boundary specifier that begins with â??-â?? instead of â??--â??. Once
triggered it will exhaust all available memory resources effectively
creating a DoS condition.

Ruby 1.8.5 and all prior versions are vulnerable. This vulnerability is
open to the public as CVE-2006-5467.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467

Vulnerable Versions
--------------------
1.8 series
  1.8.5 and all prior versions

Development version (1.9 series)
  All versions before 2006-09-23

Solution
--------
1.8 series
  Please apply the patch after you update to Ruby 1.8.5:

    * CGI DoS Patch (367 bytes; md5sum: 9d25f59d1c33a0b215f6c25260dcb536)
    http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch

  Please note that a package that corrects this weakness may already
  be available through your package management software. 

Development version (1.9 series)
  Please update your Ruby to a version after September 23, 2006.

References
----------
  * [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack
  http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
=======================================================================


To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available  
starting at the above URL.

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]