diff options
author | Steve Wills <swills@FreeBSD.org> | 2012-11-10 04:00:41 +0000 |
---|---|---|
committer | Steve Wills <swills@FreeBSD.org> | 2012-11-10 04:00:41 +0000 |
commit | dd14410e21663ac7f23087b7f38d6616b0015b35 (patch) | |
tree | b4951aa2cff5ddcd944a2cbc5f1ca71fa844e015 /security | |
parent | 14f5b9b330ef0eb94af8a844fc910d5589592ec6 (diff) | |
download | ports-dd14410e21663ac7f23087b7f38d6616b0015b35.tar.gz ports-dd14410e21663ac7f23087b7f38d6616b0015b35.zip |
Notes
Diffstat (limited to 'security')
-rw-r--r-- | security/vuxml/vuln.xml | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index d37eaa259362..1b0eb10ed12e 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,41 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="5e647ca3-2aea-11e2-b745-001fd0af1a4c"> + <topic>lang/ruby19 -- Hash-flooding DoS vulnerability for ruby 1.9</topic> + <affects> + <package> + <name>ruby</name> + <range><ge>1.9</ge><lt>1.9.3.327</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Hash-flooding DoS vulnerability</p> + <blockquote cite="http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/"> + <p>Carefully crafted sequence of strings can cause a denial of service + attack on the service that parses the sequence to create a Hash + object by using the strings as keys. For instance, this + vulnerability affects web application that parses the JSON data + sent from untrusted entity.</p> + <p>This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby + 1.9 versions were using modified MurmurHash function but it's + reported that there is a way to create sequence of strings that + collide their hash values each other. This fix changes the Hash + function of String object from the MurmurHash to SipHash 2-4.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-5371</cvename> + <url>http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/</url> + </references> + <dates> + <discovery>2012-11-10</discovery> + <entry>2012-11-10</entry> + </dates> + </vuln> + <vuln vid="152e4c7e-2a2e-11e2-99c7-00a0d181e71d"> <topic>tomcat -- authentication weaknesses</topic> <affects> |