CVE-2008-3443
Published: 14 August 2008
The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick.
Notes
| Author | Note |
|---|---|
| jdstrand | this should be fixed in svn r20243 for ruby1.9 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ruby1.8 Launchpad, Ubuntu, Debian |
dapper |
Released
(1.8.4-1ubuntu1.6)
|
| feisty |
Released
(1.8.5-4ubuntu2.3)
|
|
| gutsy |
Released
(1.8.6.36-1ubuntu3.3)
|
|
| hardy |
Released
(1.8.6.111-2ubuntu1.2)
|
|
| intrepid |
Not vulnerable
(1.8.7.72-1)
|
|
| jaunty |
Not vulnerable
(1.8.7.72-1)
|
|
| karmic |
Not vulnerable
(1.8.7.72-1)
|
|
| lucid |
Not vulnerable
(1.8.7.72-1)
|
|
| maverick |
Not vulnerable
(1.8.7.72-1)
|
|
| natty |
Not vulnerable
(1.8.7.72-1)
|
|
| oneiric |
Not vulnerable
(1.8.7.72-1)
|
|
| upstream |
Released
(1.8.7.72-1)
|
|
|
ruby1.9 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| feisty |
Ignored
(end of life, was needed)
|
|
| gutsy |
Ignored
(end of life, was needed)
|
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Released
(1.9.0.2-7ubuntu1.1)
|
|
| jaunty |
Not vulnerable
(1.9.0.2-9ubuntu1)
|
|
| karmic |
Not vulnerable
(1.9.0.2-9ubuntu1)
|
|
| lucid |
Not vulnerable
(1.9.0.2-9ubuntu1)
|
|
| maverick |
Does not exist
(pulled 2010-07-27)
|
|
| natty |
Does not exist
(pulled 2010-07-27)
|
|
| oneiric |
Does not exist
(pulled 2010-07-27)
|
|
| upstream |
Needed
|
|
|
Patches: vendor: http://svn.debian.org/wsvn/pkg-ruby/ruby1.9/trunk/debian/patches/308_regexp_segv.dpatch?op=file&rev=0&sc=0 |
||