PDA

View Full Version : [SOLVED] [USN-20-1] Ruby CGI module vulnerability



Martin Pitt
November 9th, 2004, 01:05 AM
================================================== =========
Ubuntu Security Notice USN-20-1 November 08, 2004
ruby1.8 vulnerability
CAN-2004-0983
================================================== =========

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

libruby1.8

The problem can be corrected by upgrading the affected package to
version 1.8.1+1.8.2pre2-3ubuntu0.1. In general, a standard system
upgrade is sufficient to effect the necessary changes.

Details follow:

The Ruby developers discovered a potential Denial of Service
vulnerability in the CGI module (cgi.rb). Specially crafted CGI
requests could cause an infinite loop in the server process.
Repetitive attacks could use most of the available processor
resources, exhaust the number of allowed parallel connections in web
servers, or cause similar effects which render the service
unavailable.

There is no possibility of privilege escalation or data loss.

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1.diff.gz
Size/MD5: 154532 1dcd316b06a834954605df0deed4c453
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1.dsc
Size/MD5: 1409 a1206a0996d2fdb4fa78b71b693441b8
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2.orig.tar.gz
Size/MD5: 3438795 2a03d56781fb19e5dd967b0d5b394f84

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/irb1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 127124 47713b6573c231e8747d70e2d678aaa8
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdrb-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 109546 2482d7aaf3cf3667cf845031e7f5189f
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/liberb-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 89832 24e98c22e0741d8a659af81531d04409
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/librexml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 146972 b70925fc83163a012c1f27b70965faa2
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsoap-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 189584 9b53c73b868f11cab316cb7c0b0cbd15
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtest-unit-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 112508 9939df04e4b4e3383f9e28936cdd6c6f
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libwebrick-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 116840 f4a2d4ee42cdc077608a25c6c9d94728
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libxmlrpc-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 107662 1ed738fca18dd8ac509bf318b3bf37af
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/rdoc1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 192440 af01ccaedfd64aad1f96177f70cb3156
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ri1.8_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 394190 945aca9d100d6075aabf81f0da361667
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-elisp_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 103238 8f00a69ea8d04150ddd8106671b93954
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-examples_1.8.1+1.8.2pre2-3ubuntu0.1_all.deb
Size/MD5: 113754 e68ac077d3457ddffaaa84e481071adb

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 131312 99b352ce726a5376916ff6f09b99e4c1
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 103402 3d8a3ca07f474a3af05cf0fce286be1a
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 96124 bb1eae22c1f21bfc35f204fbfb427138
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 129770 03fa01fe881752aca95f18012fd4d6fc
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 97416 1c775725fffc21dec349217fcd4b00c2
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 91694 333587c6f1c7b7c91fb43b30d03602a9
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 190926 ca87b1f191470a6ca3fc6733f54c5983
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 94970 55293650c8a128d773efe6a92a4f2082
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 94574 ade3c66237142ba72b6b2685595e2bc4
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 93370 13de3819eb2a9652ca6ce038bdaf4447
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 728458 d9fdf6f4becb47777b76fe7f4b87785c
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 809504 7da728bbb5b3782d323a0eb7fea0f669
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 98894 989928af2bda225dee27693f29c9e835
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 92400 3af34c09e7bbbd65336bc55bace2e22a
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 92590 545264204f06cf7a52134706f2a38e4f
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 145660 5496df2ba8aca5312820cb18e0784cd6
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 1096638 5f9b56bae8312c5023aac9f5247794bd
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 140020 a739a60d1c2de48731e71d012c7ab18d
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 108120 0e764e6f7b6b96723c01a0a79671059c
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 599284 30ff238b3366e2555ca00483e032def9
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_amd64.deb
Size/MD5: 109448 51b270967263415ebc3d9b9bc927358c

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 129206 60667d2be537f68b17f69570eaf4d746
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 101394 1d580d5d592f426b2fc74ce1cc463733
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 95564 cbec29631786e7b4b9a666cdf279a044
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 126348 6c058848fe986342b1a51b60f7f38f80
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 96558 07c503edf754b51dcda3de72769f65e5
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 91224 f7df49d19c5c5d414e29b12583a6e197
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 179360 4a2d34ec98a92c88b3463677855877c2
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 94592 2dace8548aeb8cb4ddbe156573d8927b
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 93964 604b5eb4f824657b6bb695996ec63df3
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 92422 e71e8b42949b52c45b10ce3614137173
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 690170 2561856a920b1c029e2af4794c7d4d5a
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 766574 29b5152da166977c890081b95c5cd859
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 98114 6971ec46fa4b59eb1c4e2baa6fc890b6
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 91328 874d6256a9ed6a11ddea3c78368e158e
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 91928 e57da8820376a0f0ffd5fa97ab0221a8
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 142242 87b2e475c3c55979a588edd5e33cc14a
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 1094812 7336120abc04f42e72a14902746cecab
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 137480 202885d406676612ae22e16ffac34e08
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 106292 9624bdd99891364e7f6d8ab9ae83f935
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 558790 3d59dcb654f045b271aa9735338ccdab
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_i386.deb
Size/MD5: 109206 c90db6b257d4a59e236e9a76ee5a79ac

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libbigdecimal-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 134198 fa7d020440dd1901626e6158ffa90eea
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libcurses-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 104538 a1ec11bc23f7aa3e381a05ba58c7aa9a
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 97348 52bdae5c2972f665ee0a8eb0bcc33721
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 128224 8d3970133dc0acbe6899cbe11ec05299
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 98418 f83631a64680305b90be3c9bb811965b
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libiconv-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 92976 5c73fdbe800f82ec565bc9f60dd67a07
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 182614 133e29e51b4e50ecd15b9b1a36e075b4
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libpty-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 96284 f09e0b24510561576dd44a4b1eec3ef6
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libracc-runtime-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 95864 6c1b2eefcac7393ddb5c7378287ff4ed
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 94440 f56663bde33f16d1532fff1f23a27c99
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 716090 f124e8b8be0871cfba95ec10741b6639
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 813948 881c7ba6aa0439704438e1efd2fe668f
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsdbm-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 100228 a993100028c0ae30b9c17c1accec3999
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libstrscan-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 93620 114bee8f2efe6e21c0e1b06edf422587
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libsyslog-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 94212 355de064aa58dd7f9a55d50360031514
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 144800 34f778b675574a0f4c8dcf7ab45fc2ad
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtk-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 1097960 83bf1f822045ad2178db6a9c5f8329ca
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libyaml-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 137830 c08440088b5a7b040719911f1fd73879
http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libzlib-ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 108762 e119c88784a24b031b0de652e23a2d44
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 571562 8d78a2deb75c067c8f3a575522495b0f
http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.1+1.8.2pre2-3ubuntu0.1_powerpc.deb
Size/MD5: 111136 7bb33b79e64b4c461d01ea75353278f4

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBkAhKDecnbV4Fd/IRApTAAJ42aLFTyV9hqGjSw0xACb9/6XKxqACeLnGp
hnh0pfDVvox17YTySut7Pwk=
=wVeG
-----END PGP SIGNATURE-----