Date: Wed, 8 Dec 2010 19:18:29 +0000 (UTC) From: "Philip M. Gollucci" <pgollucci@FreeBSD.org> To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/www Makefile ports/www/rubygem-cgi_multipart_eof_fix Makefile distinfo pkg-descr Message-ID: <201012081918.oB8JITsU027564@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
pgollucci 2010-12-08 19:18:29 UTC FreeBSD ports repository Modified files: www Makefile Added files: www/rubygem-cgi_multipart_eof_fix Makefile distinfo pkg-descr Log: Fixes an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5. When multipart boundary attributes contain non-halting regular expression strings, the boundary searcher in the CGI module does not properly escape the parameter and will execute arbitrary regular expressions. This fix adds escaping for the user data. * Affected application servers: standalone CGI, Mongrel, WEBrick * Unaffected: FastCGI, Ruby 1.8.6 (all servers) * Unknown: mod_ruby This fix will not modify versions of Ruby greater than 1.8.5, and is cumulative with previous CGI multipart vulnerability fixes. WWW: http://blog.evanweaver.com/#cgi_multipart_eof_fix Revision Changes Path 1.2772 +1 -0 ports/www/Makefile 1.1 +19 -0 ports/www/rubygem-cgi_multipart_eof_fix/Makefile (new) 1.1 +2 -0 ports/www/rubygem-cgi_multipart_eof_fix/distinfo (new) 1.1 +14 -0 ports/www/rubygem-cgi_multipart_eof_fix/pkg-descr (new)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201012081918.oB8JITsU027564>