Source: ruby-bson Version: 1.10.0-1 Severity: important Tags: security upstream patch fixed-upstream
Hi, the following vulnerability was published for ruby-bson. CVE-2015-4410[0]: DoS and possible injection If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-4410 [1] http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html [2] http://www.openwall.com/lists/oss-security/2015/06/06/3 It can be checked e.g. via: $ cat CVE-2015-4410.rb require 'bson' b=BSON::ObjectId raise "DoS!" if b.legal? "a"*24+"\n" raise "Injection!" if b.legal? "a"*24+"\na" $ BSON_EXT_DISABLED=1 ruby CVE-2015-4410.rb ** Notice: The native BSON extension was not loaded. ** For optimal performance, use of the BSON extension is recommended. To enable the extension make sure ENV['BSON_EXT_DISABLED'] is not set and run the following command: gem install bson_ext If you continue to receive this message after installing, make sure that the bson_ext gem is in your load path. CVE-2015-4410.rb:3:in `<main>': DoS! (RuntimeError) Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
