-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2007-1
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Original released date: 24 Jan 2007
Last revised: 24 Jan 2007
Package: ruby
Summary: Two vulnerabilities discovered in Ruby
More information:
Ruby is an interpreted scripting language designed to allow quick and
easy object-oriented programming. It has many features to process text
files and to perform system management tasks (as in Perl). It is simple,
straight-forward, and extensible.
Two issues have been discovered in Ruby:
- CGI::allows remote attackers to cause a denial of service (infinite loop
and CPU consumption) via an HTTP request with a multipart MIME body
- Service use disturbance (DoS) the vulnerability which becomes state
exists in cgi.rb which is the standard library of Ruby language.
Impact:
A specific HTTP request for any web application using cgi.rb causes CPU
consumption on the machine on which the web application is running. Many such
requests result in a denial of service.
Affected Products:
- Turbolinux Appliance Server 2.0
- Turbolinux FUJI
- Turbolinux 10 Server x64 Edition
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux 8 Server
<Turbolinux Appliance Server 2.0>
Source Packages
Size: MD5
ruby-1.8.1-8.src.rpm
2681065 a7e933b2b1527bccff8d89aa08f532fd
Binary Packages
Size: MD5
ruby-1.8.1-8.i586.rpm
1714078 3c4bd4f7ef337aa8dae6b7e6348aca93
<Turbolinux FUJI>
Source Packages
Size: MD5
ruby-1.8.3-2.src.rpm
4233069 0b9803dadac3a42426ca35beefaea853
Binary Packages
Size: MD5
ruby-1.8.3-2.i686.rpm
2524110 89d1378b37665d4bda59a13a2608b0ac
<Turbolinux 10 Server x64 Edition>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/SRPMS/ruby-1.8.1-8.src.rpm
2681065 34e6f64eb451e96d0b377afe73a04dc0
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/ruby-1.8.1-8.x86_64.rpm
1816768 eb67c604ea242db98c1f3ad06709b19e
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/ruby-1.8.1-8.src.rpm
2681065 a7e933b2b1527bccff8d89aa08f532fd
Binary Packages
Size: MD5
ruby-1.8.1-8.i586.rpm
1714078 3c4bd4f7ef337aa8dae6b7e6348aca93
<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/ruby-1.6.8-5.src.rpm
1031104 1ff9718461af0dac0d2d59de9e6fb660
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/ruby-1.6.8-5.i586.rpm
993096 5446f552b47c67cb053197c5f71877ab
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/ruby-1.6.4-6.src.rpm
907910 3e0b0869d19207c8c316c65325c089cf
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/ruby-1.6.4-6.i586.rpm
984747 fd2d37402ec4ae339ee3994d0716df2a
References:
CVE
[CVE-2006-5467]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467
[CVE-2006-6303]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6303
--------------------------------------------------------------------------
Revision History
24 Jan 2007 Initial release
--------------------------------------------------------------------------
Copyright(C) 2007 Turbolinux, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFFtzBaK0LzjOqIJMwRArgYAJsEpa2wxxQFyL2Wgv3NqQQIvXFgwwCfUXJI
56iUnFJctDSSi8dp4UaoLPs=
=o4WU
-----END PGP SIGNATURE-----