Debian Bug report logs - #365520
CVE-2006-1931: DoS vulnerability in Ruby HTTP/XMLRPC server

version graph

Package: ruby1.8; Maintainer for ruby1.8 is akira yamada <akira@debian.org>; Source for ruby1.8 is src:ruby1.8.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sun, 30 Apr 2006 17:48:08 UTC

Severity: important

Tags: security

Found in version ruby1.8/1.8.2-7sarge2

Fixed in versions 1.8.2-7sarge4, 1.8.4-3

Done: Touko Korpela <tkorpela@phnet.fi>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, akira yamada <akira@debian.org>:
Bug#365520; Package ruby1.8. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, akira yamada <akira@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-1931: DoS vulnerability in Ruby HTTP/XMLRPC server
Date: Sun, 30 Apr 2006 19:46:33 +0200
Package: ruby1.8
Version: 1.8.2-7sarge2
Severity: important
Tags: security


CVE-2006-1931:
"The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets,
which allows attackers to cause a denial of service (blocked
connections) via a large amount of data."

Contrary to the CVE record, this is not fixed in 1.8.2 (I checked the
source). However, I don't know if it is severe enough for a DSA.
What do you think?

See also
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189540



Bug marked as not found in version 1.8.4-2. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1.8.2-7sarge4. Request was from Touko Korpela <tkorpela@phnet.fi> to control@bugs.debian.org. (Tue, 21 Aug 2007 22:42:03 GMT) Full text and rfc822 format available.

Reply sent to Touko Korpela <tkorpela@phnet.fi>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at 365520-done@bugs.debian.org (full text, mbox):

From: Touko Korpela <tkorpela@phnet.fi>
To: 365520-done@bugs.debian.org
Subject: Fixed in 1.8.4-3 (info from DSA 1157-1)
Date: Wed, 22 Aug 2007 01:38:45 +0300
Version: 1.8.4-3



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 19 Sep 2007 07:29:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:26:36 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.