This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.3
---
ruby1.8 (1.8.6.111-2ubuntu1.3) hardy-security; urgency=low
* SECURITY UPDATE: certificate spoofing via invalid return value check
in OCSP_basic_verify
- debian/patches/904_security_CVE-2009-0642.dpatch:
** Changed in: ruby1.8 (Debian)
Status: New = Fix Released
--
DoS vulnerability in BigDecimal Ruby Library
https://bugs.launchpad.net/bugs/385436
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
** Changed in: ruby1.8 (Debian)
Status: Unknown = New
--
DoS vulnerability in BigDecimal Ruby Library
https://bugs.launchpad.net/bugs/385436
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
** Visibility changed to: Public
** Changed in: ruby1.8 (Ubuntu)
Importance: Undecided = Medium
** Changed in: ruby1.8 (Ubuntu)
Status: New = Confirmed
--
DoS vulnerability in BigDecimal Ruby Library
https://bugs.launchpad.net/bugs/385436
You received this bug notification because
Is importance Medium enough? Quote from the Rails blog: This could be
used by an attacker to crash any ruby program which creates BigDecimal
objects based on user input, including almost every Rails application.
Sounds fairly critical to me...
--
DoS vulnerability in BigDecimal Ruby Library
This upstream patch fixes this bug:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revrevision=23652
Unfortunately, hunk #14 fails to apply to Hardy's Ruby source. It looks
like the BigDecimal_to_f function has been rewritten since Hardy's
version of Ruby (1.8.6.111).
** Bug watch added: