JRuby: Denial of service — GLSA 201207-06

A hash collision vulnerability in JRuby allows remote attackers to cause a Denial of Service condition.

Affected packages

dev-java/jruby on all architectures
Affected versions < 1.6.5.1
Unaffected versions >= 1.6.5.1

Background

JRuby is a Java-based Ruby interpreter implementation.

Description

JRuby does not properly randomize hash functions to protect against hash collision attacks.

Impact

A remote attacker could send a specially crafted input, possibly resulting in a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All JRuby users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-java/jruby-1.6.5.1"
 

References

Release date
July 09, 2012

Latest revision
July 09, 2012: 1

Severity
normal

Exploitable
remote

Bugzilla entries