FreeBSD : ruby -- DoS vulnerability in REXML (844cf3f5-9259-4b3e-ac9e-13ca17333ed7)

high Nessus Plugin ID 64874

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Ruby developers report :

Unrestricted entity expansion can lead to a DoS vulnerability in REXML. (The CVE identifier will be assigned later.) We strongly recommend to upgrade ruby.

When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.

Solution

Update the affected package.

See Also

http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/

http://www.nessus.org/u?d0dc3b30

Plugin Details

Severity: High

ID: 64874

File Name: freebsd_pkg_844cf3f592594b3eac9e13ca17333ed7.nasl

Version: 1.5

Type: local

Published: 2/25/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:ruby, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2/24/2013

Vulnerability Publication Date: 2/22/2013