To underline and bold: you're unaffected if you're in production on FastCGI.
The vulnerability has been reported to security@ruby-lang.org and the
various OS distros. Matz fixed it in 1.8 CVS but hasn't backported, hence
the full disclosure and hotfix now.
Track it at CVE - CVE-2006-5467(should
be up shortly).
jeremy
···
On 10/25/06, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
There is a DoS for Ruby's cgi.rb that is easily exploitable. The attack
involves sending a malformed multipart MIME body in an HTTP request. The
full explanation of the attack as well as how to fix it RIGHT NOW is given
below.I'm putting this fix into the Mongrel pre-release process to give Matz
time to get an official release out. If he doesn't within the next few days
then I'll turn this into an official Mongrel release.