CVE-2008-3443

The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick.

🔗 References (52)

• cve@mitrehttp://lists.apple.com/archives/security-announce/2009/May/msg00002.html
• cve@mitrehttp://secunia.com/advisories/31430
• cve@mitrehttp://secunia.com/advisories/32165
• cve@mitrehttp://secunia.com/advisories/32219
• cve@mitrehttp://secunia.com/advisories/32371
• cve@mitrehttp://secunia.com/advisories/32372
• cve@mitrehttp://secunia.com/advisories/33185
• cve@mitrehttp://secunia.com/advisories/33398
• cve@mitrehttp://secunia.com/advisories/35074
• cve@mitrehttp://securityreason.com/securityalert/4158
• cve@mitrehttp://support.apple.com/kb/HT3549
• cve@mitrehttp://support.avaya.com/elmodocs2/security/ASA-2008-424.htm
• cve@mitrehttp://www.debian.org/security/2009/dsa-1695
• cve@mitrehttp://www.redhat.com/support/errata/RHSA-2008-0895.html
• cve@mitrehttp://www.redhat.com/support/errata/RHSA-2008-0897.html