Ruby socket denial of service
| ruby-socket-dos (26102) |  Low Risk |
Description:
Ruby is vulnerable to a denial of service caused by the use of blocking sockets. A remote attacker could send a request with a large amount of data to cause a denial of service condition.
Consequences:
Denial of Service
Remedy:
Upgrade to the latest version of Ruby (1.8.2 or later), available from the Ruby FTP Web page. See References.
For Red Hat Linux:
Refer to RHSA-2006:0427-2 for patch, upgrade, or suggested workaround information. See References.
For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2006-05-11 for patch, upgrade, or suggested workaround information. See References.
For Debian GNU/Linux:
Refer to DSA-1157-1 for patch, upgrade, or suggested workaround information. See References.
References:
- Red Hat Bugzilla Bug 189540: CVE-2006-1931 Ruby http/xmlrpc server DoS.
- Ruby FTP Web page: ruby-1.8.3.
- ASA-2006-098: ruby security update (RHSA-2006-0427)
- BID-17645: Yukihiro Matsumoto Ruby XMLRPC Server Denial of Service Vulnerability
- CVE-2006-1931: The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data.
- DSA-1157: ruby1.8 -- several vulnerabilities
- GLSA-200605-11: Ruby: Denial of Service
- MDKSA-2006:079: Updated ruby packages fix vulnerability
- RHSA-2006-0427: ruby security update
- SA16904: Ruby Safe-Level Security Bypass and Server Classes Denial of Service
- SECTRACK ID: 1015978: Ruby HTTP/XMLRPC Server Lets Remote Users Block Connections
- SUSE-SR:2006:012: SUSE Security Summary Report
- USN-273-1: Ruby vulnerability
Platforms Affected:
- Canonical Ubuntu 4.10
- Canonical Ubuntu 5.04
- Canonical Ubuntu 5.10
- Debian Debian Linux 3.1
- Gentoo Linux
- MandrakeSoft Mandrake Linux 2006
- MandrakeSoft Mandrake Linux 2006 X86_64
- MandrakeSoft Mandrake Linux LE2005 X86_64
- MandrakeSoft Mandrake Linux LE2005
- MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft Mandrake Linux Corporate Server 3.0
- RedHat Enterprise Linux 4 WS
- RedHat Enterprise Linux 4 ES
- RedHat Enterprise Linux 4 AS
- RedHat Enterprise Linux 4 Desktop
- Yukihiro Matsumoto Ruby prior to 1.8.2
Reported:
Apr 20, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net