The Ruby development team recently said in an official blog that there is a security vulnerability in the Hash function used in the Ruby 1.9 branch, which may cause Hash-flooding DoS attacks. The Development Team urgently released the Ruby-1.9.3 p-327 version, which 1.9 users should upgrade as soon as possible.
Details
This vulnerability is similar to the CVS-2011-4815 in Ruby 1.8.7. Ruby 1.9 uses the improved MurmurHash function, which is reported to be used to create string sequences that can collide with their hash values. This vulnerability affects web applications that need to parse JSON data sent from untrusted entities.
In the fixed version, the hash function of the string object is changed from MurmurHash to SipHash 2-4.
Affected Versions
- Ruby 1.9.3 all 1.9 branch versions prior to p-327
- All Versions earlier than Ruby 2.0 trunk 37575, including Ruby 2.0.0 preview1
Solution
- 1.9 users upgraded to ruby-1.9.3 patchlevel 327
- 2.0 preview1 or trunk version upgrade to trunk 37575 or later
- For all Ruby applications that need to accept input data from untrusted entities, the size of input data should be limited to the appropriate range.
CVE-2012-5371 details
Download: Ruby 1.9.3-p327