"Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)" Check your applications now! #hashdos

Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)

ruby-lang.org 09 Nov '12, 8pm

"Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)" Check your applications now! #hashdos

Hash-flooding DoS attack reported for the Hash function ruby 1.9 series were using. This vulnerability is different from CVS-2011-4815 for ruby 1.8.7. All ruby 1.9 users are recommended to upgrade to ruby-1.9.3 patchlevel 327 to get this security fix. Impact Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity. Details This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other . This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4 . Solution Please ...

Full article: http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdo...

Tweets

@prianthon » 02 Dec '12, 1am
RT @KpliJakarta: Yang mau tau Hash-flooding DoS vulnerability di ruby itu apa bisa di lihat di tautan ini [link]
@KpliJakarta » 02 Dec '12, 1am
Yang mau tau Hash-flooding DoS vulnerability di ruby itu apa bisa di lihat di tautan ini [link]
@victorrico2007 » 17 Nov '12, 12am
Denegación de servicio remota en Ruby por colisiones en tablas hash.. [link] #noticiasdeseguridad
@lilleswing » 12 Nov '12, 8pm
RT @superninjarobot: Ruby 1.9-ers: update your Rubies, lest they be hacked. [link]
@superninjarobot » 12 Nov '12, 4pm
Ruby 1.9-ers: update your Rubies, lest they be hacked. [link]
@picandocodigo » 12 Nov '12, 3pm
Hash-flooding DoS vulnerability for #ruby 1.9 - [link] - rvm get stable && rvm upgrade ruby
@ziromr » 12 Nov '12, 12pm
Dank meiner vollautomatisierten Infrastruktur (DevOps) war das Update in 2 Minuten eingespielt [link]
@benjamin_ds » 12 Nov '12, 12pm
RT @ruby_news: Ruby 1.9.3p327 released. Contains a security fix - check your apps! [link]
@ruby_news » 12 Nov '12, 12pm
Ruby 1.9.3p327 released. Contains a security fix - check your apps! [link]
@SPoint » 12 Nov '12, 8am
RT @aumasson: Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371) [link]
@zlu » 11 Nov '12, 2am
Upgrade your ruby! [link]
@RubyReflector » 10 Nov '12, 11am
Top Ruby Article: Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371): [link]
@vhyza » 10 Nov '12, 9am
Another reason why strings as keys are bad :) - Hash-flooding DoS vulnerability for #ruby [link] #security //cc: @schovi
@newtonmota » 10 Nov '12, 3am
“@fnando: ruby 1.9.3-p327 released! [link]” cc @talesp
@fnando » 10 Nov '12, 3am
ruby 1.9.3-p327 released! [link]
@Vitoces » 09 Nov '12, 11pm
RT @jedisct1: RT @nahi: "Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)" [link] Check your applications now! #hashdos
@_emboss_ » 09 Nov '12, 10pm
Who's first shipping a fix for #hashDoS II? You're right, Ruby is. [link]
@oscardelben » 09 Nov '12, 10pm
RT @spastorino: Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371) [link]
@hsbt » 09 Nov '12, 9pm
Ruby の新しいパッチレベルがリリースされてる! [link]
@conradirwin » 09 Nov '12, 9pm
Security is hard. [link]
@hiro_asari » 09 Nov '12, 9pm
RT @nahi: "Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)" [link] Check your applications now! #hashdos
@nahi » 09 Nov '12, 9pm
"Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)" [link] Check your applications now! #hashdos
@zundan » 09 Nov '12, 9pm
RT @shyouhei: [link]
@nalsh » 09 Nov '12, 8pm
RT @unak: 【今度は】Rubyに脆弱性【ホント】 [link]
@unak » 09 Nov '12, 8pm
【今度は】Rubyに脆弱性【ホント】 [link]
@bascule » 09 Nov '12, 9pm
RT @nahi: "Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)" [link] Check your applications now! #hashdos
@_ko1 » 09 Nov '12, 9pm
RT @nahi: "Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)" [link] Check your applications now! #hashdos
@shyouhei » 09 Nov '12, 9pm
[link]

Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)

"Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)" Check your applications now! #hashdos

Tweets

ruby 1.9 におけるハッシュ飽和攻撃による DoS 脆弱性 (CVE-2012-5371)

ruby 1.9に対する攻撃方法が見つかった>『ruby 1.9 系列で使用しているハッシュ関...

Ruby 1.9.3-p327 is released

Ruby 1.9.3-p327 リリース

Требуется Ruby on Rails разработчик #hantim

Bundler: The best way to manage Ruby applications:

Venice swamped by near-record flooding