FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ruby -- cgi.rb library Denial of Service

Affected packages
1.8.*,1 <= ruby < 1.8.5_4,1
1.8.*,1 <= ruby+oniguruma < 1.8.5_4,1
1.8.*,1 <= ruby+pthreads < 1.8.5_4,1
1.8.*,1 <= ruby+pthreads+oniguruma < 1.8.5_4,1
1.8.*,1 <= ruby_static

Details

VuXML ID ab8dbe98-6be4-11db-ae91-0012f06707f0
Discovery 2006-10-25
Entry 2006-11-04
Modified 2006-12-15

Official ruby site reports:

A vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and as an invalid boundary specifier that begins with "-" instead of "--". Once triggered it will exhaust all available memory resources effectively creating a DoS condition.

[source]

References

Bugtraq ID 20777
CVE Name CVE-2006-5467
URL http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.