X-Spam-Check-By: sourceware.org Date: Sun, 12 Nov 2006 11:07:26 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: [ANNOUNCEMENT] Updated: ruby-1.8.5-2 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4.2i Reply-To: cygwin AT cygwin DOT com X-Mailer: Perl5 Mail::Internet v1.74 Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com I have updated the version of ruby on cygwin.com to 1.8.5-2. This is a security update. It fixes a DOS vulnerability as described in the official message: ======================================================================= DoS Vulnerability in CGI Library -------------------------------- A vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and has an invalid boundary specifier that begins with “-” instead of “--”. Once triggered it will exhaust all available memory resources effectively creating a DoS condition. Ruby 1.8.5 and all prior versions are vulnerable. This vulnerability is open to the public as CVE-2006-5467. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467 Vulnerable Versions -------------------- 1.8 series 1.8.5 and all prior versions Development version (1.9 series) All versions before 2006-09-23 Solution -------- 1.8 series Please apply the patch after you update to Ruby 1.8.5: * CGI DoS Patch (367 bytes; md5sum: 9d25f59d1c33a0b215f6c25260dcb536) http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch Please note that a package that corrects this weakness may already be available through your package management software. Development version (1.9 series) Please update your Ruby to a version after September 23, 2006. References ---------- * [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html ======================================================================= To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Then, run setup and answer all of the questions. *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain DOT com AT cygwin DOT com If you need more information on unsubscribing, start reading here: http://sources.redhat.com/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at the above URL. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/