CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
AI Score
Confidence
High
EPSS
Percentile
88.9%
Package : ruby1.9.1
Version : 1.9.2.0-2+deb6u5
CVE ID : CVE-2012-5371 CVE-2013-0269
Debian Bug : 693024 700471
Two vulnerabilities were identified in the Ruby language interpreter,
version 1.9.1.
CVE-2012-5371
Jean-Philippe Aumasson identified that Ruby computed hash values
without properly restricting the ability to trigger hash collisions
predictably, allowing context-dependent attackers to cause a denial
of service (CPU consumption). This is a different vulnerability than
CVE-2011-4815.
CVE-2013-0269
Thomas Hollstegge and Ben Murphy found that the JSON gem for Ruby
allowed remote attackers to cause a denial of service (resource
consumption) or bypass the mass assignment protection mechanism via
a crafted JSON document that triggers the creation of arbitrary Ruby
symbols or certain internal objects.
For the squeeze distribution, theses vulnerabilities have been fixed in
version 1.9.2.0-2+deb6u5 of ruby1.9.1. We recommend that you upgrade
your ruby1.9.1 package.
Attachment:
signature.asc
Description: Digital signature
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 6 | all | ruby1.9.1 | < 1.9.2 | ruby1.9.1_1.9.2_all.deb |