[v3.2] ruby-activesupport4.2: Possible Denial of Service attack (CVE-2015-3227)
There is a possible denial of service attack in the XML processing in
Active
Support. This vulnerability has been assigned the CVE identifier
CVE-2015-3227.
Versions Affected: All.
Not affected: None.
Fixed Versions: 4.2.2, 4.1.11
Impact
———
Specially crafted XML documents can cause applications to raise a
`SystemStackError` and potentially cause a denial of service attack.
This
only impacts applications using REXML or JDOM as their XML processor.
Other
XML processors that Rails supports are not impacted.
All users running an affected release should either upgrade or use one of the work arounds immediately.
Reference:
http://www.openwall.com/lists/oss-security/2015/06/16/16
(from redmine: issue id 4367, created on 2015-06-17, closed on 2015-07-10)
- Relations:
- parent #4366 (closed)
- Changesets:
- Revision dffc69fd by Kaarle Ritvanen on 2015-07-08T09:45:20Z:
main/ruby-rails4.2: upgrade to 4.2.3 (incl. dependencies)
fixes #4367
(cherry picked from commit 390c5e61822473fce8eca628ebc0105fec79361b)