Sha256: bc692063c8ab86eec97a9584cf29ba58f758c0a2f6bb17165b0e09e9e8fd12b5
Contents?: true
Size: 969 Bytes
Versions: 5
Compression:
Stored size: 969 Bytes
Contents
---
gem: activesupport
cve: 2015-3227
url: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
title: |
Possible Denial of Service attack in Active Support
date: 2015-06-16
description: |
Specially crafted XML documents can cause applications to raise a
`SystemStackError` and potentially cause a denial of service attack. This
only impacts applications using REXML or JDOM as their XML processor. Other
XML processors that Rails supports are not impacted.
All users running an affected release should either upgrade or use one of the work arounds immediately.
Workarounds
-----------
Use an XML parser that is not impacted by this problem, such as Nokogiri or
LibXML. You can change the processor like this:
ActiveSupport::XmlMini.backend = 'Nokogiri'
If you cannot change XML parsers, then adjust
`RUBY_THREAD_MACHINE_STACK_SIZE`.
patched_versions:
- ">= 4.2.2"
- "~> 4.1.11"
- "~> 3.2.22"
Version data entries
5 entries across 5 versions & 2 rubygems