Permalink
Browse files

CVE-2013-0269 Denial of Service and Unsafe Object Creation Vulnerabil…

…ity in JSON

Ruby JSON parsing gems were vulnerable to denial of service and unsafe object
creation attacks when used on user controlled data.  These could be used to
create objects in unexpected ways, as well as to consume memory through
persistent object creation.

This updates our JSON gem to version 1.7.7, a version that is no longer
vulnerable to those attacks, mitigating this risk in the Microkernel.

This is the only mitigation required, as the Microkernel already correctly
uses `JSON.parse` - a safe API for untrusted input - rather than `JSON.load`
or other vulnerable inputs.

Signed-off-by: Daniel Pittman <daniel@rimspace.net>
  • Loading branch information...
1 parent 4ba16dd commit 8410611232d0962c4ba189f303e07891271b781f @slippycheeze slippycheeze committed Feb 12, 2013
Showing with 1 addition and 1 deletion.
  1. +1 −1 opt/gems/gem.list
View
@@ -1,4 +1,4 @@
stomp
facter
-json_pure
+json_pure >= 1.7.7
daemons

0 comments on commit 8410611

Please sign in to comment.