Debian Security Advisory

DSA-1695-1 ruby1.8, ruby1.9 -- memory leak

Date Reported:
02 Jan 2009
Affected Packages:
ruby1.8, ruby1.9
Security database references:
In the Debian bugtracking system: Bug 494401.
In Mitre's CVE dictionary: CVE-2008-3443.
More information:

The regular expression engine of Ruby, a scripting language, contains a memory leak which can be triggered remotely under certain circumstances, leading to a denial of service condition (CVE-2008-3443).

In addition, this security update addresses a regression in the REXML XML parser of the ruby1.8 package; the regression was introduced in DSA-1651-1.

For the stable distribution (etch), this problem has been fixed in version 1.8.5-4etch4 of the ruby1.8 package, and version 1.9.0+20060609-1etch4 of the ruby1.9 package.

For the unstable distribution (sid), this problem has been fixed in version of the ruby1.8 package. The ruby1.9 package will be fixed soon.

We recommend that you upgrade your Ruby packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:
HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.