Your submission was sent successfully! Close

CVE-2014-8090

Published: 14 November 2014

The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.

Priority

Medium

Status

Package Release Status
ruby1.8
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby1.9.1
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1.9.3.484-2ubuntu1.2])
Patches:
Upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48406 (1.9.3)
ruby2.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [2.0.0.484-1ubuntu2.2])
Patches:
Upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48403 (2.0)
ruby2.1
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48402 (trunk)
Upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48404 (2.1)