Ruby socket denial of service
| ruby-socket-dos (26102) |  Low Risk |
Description:
Ruby is vulnerable to a denial of service caused by the use of blocking sockets. A remote attacker could send a request with a large amount of data to cause a denial of service condition.
Platforms Affected:
- Canonical, Ubuntu 4.10
- Canonical, Ubuntu 5.04
- Canonical, Ubuntu 5.10
- Debian, Debian Linux 3.1
- Gentoo, Linux
- MandrakeSoft, Mandrake Linux 2006 X86_64
- MandrakeSoft, Mandrake Linux 2006
- MandrakeSoft, Mandrake Linux LE2005
- MandrakeSoft, Mandrake Linux LE2005 X86_64
- MandrakeSoft, Mandrake Linux Corporate Server 3.0
- MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
- RedHat, Enterprise Linux 4 WS
- RedHat, Enterprise Linux 4 ES
- RedHat, Enterprise Linux 4 AS
- RedHat, Enterprise Linux 4 Desktop
- Yukihiro Matsumoto, Ruby prior to 1.8.2
Remedy:
Upgrade to the latest version of Ruby (1.8.2 or later), available from the Ruby FTP Web page. See References.
For Red Hat Linux:
Refer to RHSA-2006:0427-2 for patch, upgrade, or suggested workaround information. See References.
For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2006-05-11 for patch, upgrade, or suggested workaround information. See References.
For Debian GNU/Linux:
Refer to DSA-1157-1 for patch, upgrade, or suggested workaround information. See References.
Consequences:
Denial of Service
References:
- Red Hat Bugzilla Bug 189540, CVE-2006-1931 Ruby http/xmlrpc server DoS at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189540.
- Ruby FTP Web page, ruby-1.8.3 at ftp://ftp.ruby-lang.org/pub/ruby/.
- ASA-2006-098: ruby security update (RHSA-2006-0427)
- BID-17645: Yukihiro Matsumoto Ruby XMLRPC Server Denial of Service Vulnerability
- CVE-2006-1931: The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data.
- DSA-1157: ruby1.8 -- several vulnerabilities
- GLSA-200605-11: Ruby: Denial of Service
- MDKSA-2006:079: Updated ruby packages fix vulnerability
- RHSA-2006-0427: ruby security update
- SA16904: Ruby Safe-Level Security Bypass and Server Classes Denial of Service
- SECTRACK ID: 1015978: Ruby HTTP/XMLRPC Server Lets Remote Users Block Connections
- SUSE-SR:2006:012: SUSE Security Summary Report
- USN-273-1: Ruby vulnerability
Reported:
Apr 20, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net