CVE-2012-5371

Published: 28 November 2012

Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.

Priority

Status

Package	Release	Status
ruby1.8 Launchpad, Ubuntu, Debian	hardy	Ignored (end of life)
	lucid	Not vulnerable (1.8.7.249-2ubuntu0.2)
	oneiric	Not vulnerable (1.8.7.352-2ubuntu0.2)
	precise	Not vulnerable (1.8.7.352-2ubuntu1.1)
	quantal	Not vulnerable (1.8.7.358-4ubuntu0.1)
	raring	Not vulnerable (1.8.7.358-6ubuntu1)
	saucy	Not vulnerable (1.8.7.358-6ubuntu1)
	upstream	Not vulnerable
ruby1.9.1 Launchpad, Ubuntu, Debian	hardy	Does not exist
	lucid	Ignored (end of life)
	oneiric	Ignored (end of life)
	precise	Released (1.9.3.0-1ubuntu2.5)
	quantal	Released (1.9.3.194-1ubuntu1.3)
	raring	Released (1.9.3.194-7ubuntu1)
	saucy	Released (1.9.3.194-7ubuntu1)
	upstream	Released (1.9.3.194-4, 1.9.3 pl 327)
	Patches: upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37600 vendor: http://patch-tracker.debian.org/patch/series/view/ruby1.9.1/1.9.3.194-7/20121120-cve-2012-5371.diff

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693024

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›