The fix for this issue, as mentioned in http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/, is already included in the package:
[EMAIL PROTECTED]:/tmp$ export LANG=C [EMAIL PROTECTED]:/tmp$ apt-get source libruby1.8 Reading package lists... Done Building dependency tree... Done Skipping already downloaded file 'ruby1.8_1.8.5-3.dsc' Need to get 4522kB of source archives. Get:1 http://ftp.br.debian.org sid/main ruby1.8 1.8.5-3 (tar) [4434kB] Get:2 http://ftp.br.debian.org sid/main ruby1.8 1.8.5-3 (diff) [87.8kB] Fetched 4476kB in 14s (302kB/s) gpg: Signature made Mon Oct 30 05:19:41 2006 BRT using DSA key ID E213F1A0 gpg: Can't check signature: public key not found dpkg-source: extracting ruby1.8 in ruby1.8-1.8.5 dpkg-source: unpacking ruby1.8_1.8.5.orig.tar.gz dpkg-source: applying ./ruby1.8_1.8.5-3.diff.gz [EMAIL PROTECTED]:/tmp$ cat ruby1.8-1.8.5/debian/patches/130_cgi_empty_content.patch --- ruby-1.8.5/lib/cgi.rb 4 Sep 2006 07:36:49 -0000 1.68.2.17 +++ ruby-1.8.5/lib/cgi.rb 23 Sep 2006 12:47:11 -0000 1.68.2.18 @@ -1018,7 +1018,7 @@ else stdinput.read(content_length) end - if c.nil? + if c.nil? || c.empty? raise EOFError, "bad content body" end buf.concat(c) [EMAIL PROTECTED]:/tmp$ The patch in not mentioned in debian/changelog, however. -- Antonio S. de A. Terceiro <[EMAIL PROTECTED]> http://people.softwarelivre.org/~terceiro/ GnuPG ID: E6F73C30 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
