svn commit: r307261 - in head: Mk lang/ruby19 security/vuxml
Bryan Drewery
bdrewery at freebsd.org
Sat Nov 10 15:08:14 UTC 2012
On 11/9/2012 10:00 PM, Steve Wills wrote:
> Author: swills
> Date: Sat Nov 10 04:00:41 2012
> New Revision: 307261
> URL: http://svnweb.freebsd.org/changeset/ports/307261
>
> Log:
> - Update lang/ruby19 to 1.9.3p327
> - Document security issue in earlier versions
>
> Security: 5e647ca3-2aea-11e2-b745-001fd0af1a4c
> Feature safe: yes
Thank you for the quick update!
>
> Modified:
> head/Mk/bsd.ruby.mk
> head/lang/ruby19/distinfo
> head/security/vuxml/vuln.xml
>
> Modified: head/Mk/bsd.ruby.mk
> ==============================================================================
> --- head/Mk/bsd.ruby.mk Sat Nov 10 01:37:24 2012 (r307260)
> +++ head/Mk/bsd.ruby.mk Sat Nov 10 04:00:41 2012 (r307261)
> @@ -196,7 +196,7 @@ RUBY19= "@comment "
> RUBY_RELVERSION= 1.9.3
> RUBY_PORTREVISION= 0
> RUBY_PORTEPOCH= 1
> -RUBY_PATCHLEVEL= 286
> +RUBY_PATCHLEVEL= 327
>
> RUBY_VERSION?= ${RUBY_RELVERSION}.${RUBY_PATCHLEVEL}
> RUBY_DISTVERSION?= ${RUBY_RELVERSION}-p${RUBY_PATCHLEVEL}
>
> Modified: head/lang/ruby19/distinfo
> ==============================================================================
> --- head/lang/ruby19/distinfo Sat Nov 10 01:37:24 2012 (r307260)
> +++ head/lang/ruby19/distinfo Sat Nov 10 04:00:41 2012 (r307261)
> @@ -1,2 +1,2 @@
> -SHA256 (ruby/ruby-1.9.3-p286.tar.bz2) = 5281656c7a0ae48b64f28d845a96b4dfa16ba1357a911265752787585fb5ea64
> -SIZE (ruby/ruby-1.9.3-p286.tar.bz2) = 9961862
> +SHA256 (ruby/ruby-1.9.3-p327.tar.bz2) = d989465242f9b11a8a3aa8cbd2c75a9b3a8c0ec2f14a087a0c7b51abf164e488
> +SIZE (ruby/ruby-1.9.3-p327.tar.bz2) = 9975835
>
> Modified: head/security/vuxml/vuln.xml
> ==============================================================================
> --- head/security/vuxml/vuln.xml Sat Nov 10 01:37:24 2012 (r307260)
> +++ head/security/vuxml/vuln.xml Sat Nov 10 04:00:41 2012 (r307261)
> @@ -51,6 +51,41 @@ Note: Please add new entries to the beg
>
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> + <vuln vid="5e647ca3-2aea-11e2-b745-001fd0af1a4c">
> + <topic>lang/ruby19 -- Hash-flooding DoS vulnerability for ruby 1.9</topic>
> + <affects>
> + <package>
> + <name>ruby</name>
> + <range><ge>1.9</ge><lt>1.9.3.327</lt></range>
> + </package>
> + </affects>
> + <description>
> + <body xmlns="http://www.w3.org/1999/xhtml">
> + <p>Hash-flooding DoS vulnerability</p>
> + <blockquote cite="http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/">
> + <p>Carefully crafted sequence of strings can cause a denial of service
> + attack on the service that parses the sequence to create a Hash
> + object by using the strings as keys. For instance, this
> + vulnerability affects web application that parses the JSON data
> + sent from untrusted entity.</p>
> + <p>This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby
> + 1.9 versions were using modified MurmurHash function but it's
> + reported that there is a way to create sequence of strings that
> + collide their hash values each other. This fix changes the Hash
> + function of String object from the MurmurHash to SipHash 2-4.</p>
> + </blockquote>
> + </body>
> + </description>
> + <references>
> + <cvename>CVE-2012-5371</cvename>
> + <url>http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/</url>
> + </references>
> + <dates>
> + <discovery>2012-11-10</discovery>
> + <entry>2012-11-10</entry>
> + </dates>
> + </vuln>
> +
> <vuln vid="152e4c7e-2a2e-11e2-99c7-00a0d181e71d">
> <topic>tomcat -- authentication weaknesses</topic>
> <affects>
>
--
Regards,
Bryan Drewery
bdrewery at freenode/EFNet
More information about the svn-ports-all
mailing list