[ANN] Security Fix json-1.1.7 for json_pure and json gems

Discussion in 'Ruby' started by Florian Frank, Jun 30, 2009.

  1. Synopsis
    ========

    Security Fix Release json-1.1.7 for json_pure and json gems.

    Description
    ===========

    The JSON::pure::parser contains a vulnerability that may lead to
    catastrophic backtracking in one of its regular expressions. This
    vulnerability doesn't affect the JSON::Ext::parser or Rail's
    Active::Support::JSON. Ruby 1.9.1 (but not Ruby 1.9 trunk) contains
    the vulnerable json/pure code as well, so if you want to use the pure
    parser you should update to a newer version or use the json gem 1.1.7
    version.


    Impact
    ======

    An attacker can cause a denial of service attack by passing a
    specially designed string into the JSON::pure::parser#parse method.

    Affected versions
    =================

    - versions 1.1.0-1.1.6 of the JSON::pure::parser

    Credit
    ======

    Thanks to Bartosz Blimke for reporting this bug.

    Changes
    =======

    2009-06-29 (1.1.7)
    * Security Fix for JSON::pure::parser. A specially designed string
    could cause catastrophic backtracking in one of the parser's
    regular expressions in earlier 1.1.x versions. JSON::Ext::parser
    isn't affected by this issue. Thanks to Bartosz Blimke
    <> for reporting this problem.
    * This release also uses a less strict ruby version requirement for
    the creation of the mswin32 native gem.

    Download
    ========

    Version 1.1.7 of json and json_pure on
    http://rubyforge.org/frs/?group_id=953
    Florian Frank, Jun 30, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Xah Lee
    Replies:
    22
    Views:
    1,105
    Tim Roberts
    Mar 21, 2006
  2. Xah Lee
    Replies:
    23
    Views:
    1,041
    Tim Roberts
    Mar 21, 2006
  3. Tomás

    Gems -- #include <gems.hpp>

    Tomás, Mar 4, 2006, in forum: C++
    Replies:
    7
    Views:
    411
    Tomás
    Mar 5, 2006
  4. Lloyd Zusman
    Replies:
    3
    Views:
    173
    Lloyd Zusman
    Jun 21, 2005
  5. Xah Lee
    Replies:
    21
    Views:
    763
    Tim Roberts
    Mar 21, 2006
Loading...

Share This Page