Date: Sat, 10 Nov 2012 09:08:00 -0600 From: Bryan Drewery <bdrewery@freebsd.org> To: Steve Wills <swills@freebsd.org> Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r307261 - in head: Mk lang/ruby19 security/vuxml Message-ID: <509E6DD0.6070403@FreeBSD.org> In-Reply-To: <201211100400.qAA40fAB022144@svn.freebsd.org> References: <201211100400.qAA40fAB022144@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/9/2012 10:00 PM, Steve Wills wrote: > Author: swills > Date: Sat Nov 10 04:00:41 2012 > New Revision: 307261 > URL: http://svnweb.freebsd.org/changeset/ports/307261 > > Log: > - Update lang/ruby19 to 1.9.3p327 > - Document security issue in earlier versions > > Security: 5e647ca3-2aea-11e2-b745-001fd0af1a4c > Feature safe: yes Thank you for the quick update! > > Modified: > head/Mk/bsd.ruby.mk > head/lang/ruby19/distinfo > head/security/vuxml/vuln.xml > > Modified: head/Mk/bsd.ruby.mk > ============================================================================== > --- head/Mk/bsd.ruby.mk Sat Nov 10 01:37:24 2012 (r307260) > +++ head/Mk/bsd.ruby.mk Sat Nov 10 04:00:41 2012 (r307261) > @@ -196,7 +196,7 @@ RUBY19= "@comment " > RUBY_RELVERSION= 1.9.3 > RUBY_PORTREVISION= 0 > RUBY_PORTEPOCH= 1 > -RUBY_PATCHLEVEL= 286 > +RUBY_PATCHLEVEL= 327 > > RUBY_VERSION?= ${RUBY_RELVERSION}.${RUBY_PATCHLEVEL} > RUBY_DISTVERSION?= ${RUBY_RELVERSION}-p${RUBY_PATCHLEVEL} > > Modified: head/lang/ruby19/distinfo > ============================================================================== > --- head/lang/ruby19/distinfo Sat Nov 10 01:37:24 2012 (r307260) > +++ head/lang/ruby19/distinfo Sat Nov 10 04:00:41 2012 (r307261) > @@ -1,2 +1,2 @@ > -SHA256 (ruby/ruby-1.9.3-p286.tar.bz2) = 5281656c7a0ae48b64f28d845a96b4dfa16ba1357a911265752787585fb5ea64 > -SIZE (ruby/ruby-1.9.3-p286.tar.bz2) = 9961862 > +SHA256 (ruby/ruby-1.9.3-p327.tar.bz2) = d989465242f9b11a8a3aa8cbd2c75a9b3a8c0ec2f14a087a0c7b51abf164e488 > +SIZE (ruby/ruby-1.9.3-p327.tar.bz2) = 9975835 > > Modified: head/security/vuxml/vuln.xml > ============================================================================== > --- head/security/vuxml/vuln.xml Sat Nov 10 01:37:24 2012 (r307260) > +++ head/security/vuxml/vuln.xml Sat Nov 10 04:00:41 2012 (r307261) > @@ -51,6 +51,41 @@ Note: Please add new entries to the beg > > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid="5e647ca3-2aea-11e2-b745-001fd0af1a4c"> > + <topic>lang/ruby19 -- Hash-flooding DoS vulnerability for ruby 1.9</topic> > + <affects> > + <package> > + <name>ruby</name> > + <range><ge>1.9</ge><lt>1.9.3.327</lt></range> > + </package> > + </affects> > + <description> > + <body xmlns="http://www.w3.org/1999/xhtml">; > + <p>Hash-flooding DoS vulnerability</p> > + <blockquote cite="http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/">; > + <p>Carefully crafted sequence of strings can cause a denial of service > + attack on the service that parses the sequence to create a Hash > + object by using the strings as keys. For instance, this > + vulnerability affects web application that parses the JSON data > + sent from untrusted entity.</p> > + <p>This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby > + 1.9 versions were using modified MurmurHash function but it's > + reported that there is a way to create sequence of strings that > + collide their hash values each other. This fix changes the Hash > + function of String object from the MurmurHash to SipHash 2-4.</p> > + </blockquote> > + </body> > + </description> > + <references> > + <cvename>CVE-2012-5371</cvename> > + <url>http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/</url>; > + </references> > + <dates> > + <discovery>2012-11-10</discovery> > + <entry>2012-11-10</entry> > + </dates> > + </vuln> > + > <vuln vid="152e4c7e-2a2e-11e2-99c7-00a0d181e71d"> > <topic>tomcat -- authentication weaknesses</topic> > <affects> > -- Regards, Bryan Drewery bdrewery@freenode/EFNet
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?509E6DD0.6070403>