From martin.pitt@canonical.com Mon Nov 8 23:30:58 2004 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Date: Tue, 9 Nov 2004 00:59:07 +0100 Subject: [Full-Disclosure] [USN-20-1] Ruby CGI module vulnerability =========================================================== Ubuntu Security Notice USN-20-1 November 08, 2004 ruby1.8 vulnerability CAN-2004-0983 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: libruby1.8 The problem can be corrected by upgrading the affected package to version 1.8.1+1.8.2pre2-3ubuntu0.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The Ruby developers discovered a potential Denial of Service vulnerability in the CGI module (cgi.rb). Specially crafted CGI requests could cause an infinite loop in the server process. Repetitive attacks could use most of the available processor resources, exhaust the number of allowed parallel connections in web servers, or cause similar effects which render the service unavailable. There is no possibility of privilege escalation or data loss. Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1.diff.gz Size/MD5: 154532 1dcd316b06a834954605df0deed4c453 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1.dsc Size/MD5: 1409 a1206a0996d2fdb4fa78b71b693441b8 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2.orig.tar.gz Size/MD5: 3438795 2a03d56781fb19e5dd967b0d5b394f84 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/irb1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 127124 47713b6573c231e8747d70e2d678aaa8 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdrb-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 109546 2482d7aaf3cf3667cf845031e7f5189f http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/liberb-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 89832 24e98c22e0741d8a659af81531d04409 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/librexml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 146972 b70925fc83163a012c1f27b70965faa2 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsoap-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 189584 9b53c73b868f11cab316cb7c0b0cbd15 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtest-unit-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 112508 9939df04e4b4e3383f9e28936cdd6c6f http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libwebrick-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 116840 f4a2d4ee42cdc077608a25c6c9d94728 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libxmlrpc-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 107662 1ed738fca18dd8ac509bf318b3bf37af http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/rdoc1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 192440 af01ccaedfd64aad1f96177f70cb3156 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ri1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 394190 945aca9d100d6075aabf81f0da361667 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-elisp_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 103238 8f00a69ea8d04150ddd8106671b93954 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-examples_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb Size/MD5: 113754 e68ac077d3457ddffaaa84e481071adb amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 131312 99b352ce726a5376916ff6f09b99e4c1 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 103402 3d8a3ca07f474a3af05cf0fce286be1a http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 96124 bb1eae22c1f21bfc35f204fbfb427138 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 129770 03fa01fe881752aca95f18012fd4d6fc http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 97416 1c775725fffc21dec349217fcd4b00c2 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 91694 333587c6f1c7b7c91fb43b30d03602a9 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 190926 ca87b1f191470a6ca3fc6733f54c5983 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 94970 55293650c8a128d773efe6a92a4f2082 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 94574 ade3c66237142ba72b6b2685595e2bc4 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 93370 13de3819eb2a9652ca6ce038bdaf4447 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 728458 d9fdf6f4becb47777b76fe7f4b87785c http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 809504 7da728bbb5b3782d323a0eb7fea0f669 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 98894 989928af2bda225dee27693f29c9e835 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 92400 3af34c09e7bbbd65336bc55bace2e22a http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 92590 545264204f06cf7a52134706f2a38e4f http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 145660 5496df2ba8aca5312820cb18e0784cd6 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 1096638 5f9b56bae8312c5023aac9f5247794bd http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 140020 a739a60d1c2de48731e71d012c7ab18d http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 108120 0e764e6f7b6b96723c01a0a79671059c http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 599284 30ff238b3366e2555ca00483e032def9 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb Size/MD5: 109448 51b270967263415ebc3d9b9bc927358c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 129206 60667d2be537f68b17f69570eaf4d746 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 101394 1d580d5d592f426b2fc74ce1cc463733 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 95564 cbec29631786e7b4b9a666cdf279a044 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 126348 6c058848fe986342b1a51b60f7f38f80 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 96558 07c503edf754b51dcda3de72769f65e5 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 91224 f7df49d19c5c5d414e29b12583a6e197 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 179360 4a2d34ec98a92c88b3463677855877c2 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 94592 2dace8548aeb8cb4ddbe156573d8927b http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 93964 604b5eb4f824657b6bb695996ec63df3 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 92422 e71e8b42949b52c45b10ce3614137173 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 690170 2561856a920b1c029e2af4794c7d4d5a http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 766574 29b5152da166977c890081b95c5cd859 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 98114 6971ec46fa4b59eb1c4e2baa6fc890b6 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 91328 874d6256a9ed6a11ddea3c78368e158e http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 91928 e57da8820376a0f0ffd5fa97ab0221a8 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 142242 87b2e475c3c55979a588edd5e33cc14a http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 1094812 7336120abc04f42e72a14902746cecab http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 137480 202885d406676612ae22e16ffac34e08 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 106292 9624bdd99891364e7f6d8ab9ae83f935 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 558790 3d59dcb654f045b271aa9735338ccdab http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb Size/MD5: 109206 c90db6b257d4a59e236e9a76ee5a79ac powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 134198 fa7d020440dd1901626e6158ffa90eea http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 104538 a1ec11bc23f7aa3e381a05ba58c7aa9a http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 97348 52bdae5c2972f665ee0a8eb0bcc33721 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 128224 8d3970133dc0acbe6899cbe11ec05299 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 98418 f83631a64680305b90be3c9bb811965b http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 92976 5c73fdbe800f82ec565bc9f60dd67a07 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 182614 133e29e51b4e50ecd15b9b1a36e075b4 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 96284 f09e0b24510561576dd44a4b1eec3ef6 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 95864 6c1b2eefcac7393ddb5c7378287ff4ed http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 94440 f56663bde33f16d1532fff1f23a27c99 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 716090 f124e8b8be0871cfba95ec10741b6639 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 813948 881c7ba6aa0439704438e1efd2fe668f http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 100228 a993100028c0ae30b9c17c1accec3999 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 93620 114bee8f2efe6e21c0e1b06edf422587 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 94212 355de064aa58dd7f9a55d50360031514 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 144800 34f778b675574a0f4c8dcf7ab45fc2ad http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 1097960 83bf1f822045ad2178db6a9c5f8329ca http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 137830 c08440088b5a7b040719911f1fd73879 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 108762 e119c88784a24b031b0de652e23a2d44 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 571562 8d78a2deb75c067c8f3a575522495b0f http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb Size/MD5: 111136 7bb33b79e64b4c461d01ea75353278f4 [ Part 2, "Digital signature" Application/PGP-SIGNATURE 196bytes. ] [ Unable to print this part. ]