Candidate: CVE-2014-6438
PublicDate: 2017-09-06 21:29:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6438
 https://github.com/ruby/www.ruby-lang.org/issues/817
 https://www.ruby-lang.org/en/news/2014/08/19/ruby-1-9-2-p330-released/
 http://www.openwall.com/lists/oss-security/2015/07/13/5
Description:
 The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows
 remote attackers to cause a denial of service (catastrophic regular
 expression backtracking, resource consumption, or application crash) via a
 crafted string.
Ubuntu-Description: 
Notes: 
 sbeattie> fixed in 1.9.3 and newer. ruby1.9.1 packages are not affected
 sbeattie> because they are all ruby 1.9.3.
Bugs: 
Priority: low
Discovered-by:
Assigned-to: 
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_ruby1.8:
upstream_ruby1.8: needs-triage
precise_ruby1.8: ignored (reached end-of-life)
precise/esm_ruby1.8: DNE (precise was needs-triage)
trusty_ruby1.8: DNE
trusty/esm_ruby1.8: DNE
utopic_ruby1.8: DNE
vivid_ruby1.8: DNE
vivid/stable-phone-overlay_ruby1.8: DNE
vivid/ubuntu-core_ruby1.8: DNE
wily_ruby1.8: DNE
xenial_ruby1.8: DNE
yakkety_ruby1.8: DNE
zesty_ruby1.8: DNE
devel_ruby1.8: DNE

Patches_ruby1.9:
upstream_ruby1.9: needs-triage
maverick_ruby1.9: DNE
precise_ruby1.9: DNE
precise/esm_ruby1.9: DNE
trusty_ruby1.9: DNE
trusty/esm_ruby1.9: DNE
utopic_ruby1.9: DNE
vivid_ruby1.9: DNE
vivid/stable-phone-overlay_ruby1.9: DNE
vivid/ubuntu-core_ruby1.9: DNE
wily_ruby1.9: DNE
xenial_ruby1.9: DNE
yakkety_ruby1.9: DNE
zesty_ruby1.9: DNE
devel_ruby1.9: DNE

Patches_ruby1.9.1:
upstream_ruby1.9.1: released (1.9.2-p330)
precise_ruby1.9.1: not-affected (1.9.2 only)
precise/esm_ruby1.9.1: DNE (precise was not-affected [1.9.2 only])
trusty_ruby1.9.1: not-affected (1.9.2 only)
trusty/esm_ruby1.9.1: DNE (trusty was not-affected [1.9.2 only])
utopic_ruby1.9.1: not-affected (1.9.2 only)
vivid_ruby1.9.1: not-affected (1.9.2 only)
vivid/stable-phone-overlay_ruby1.9.1: DNE
vivid/ubuntu-core_ruby1.9.1: DNE
wily_ruby1.9.1: DNE
xenial_ruby1.9.1: DNE
yakkety_ruby1.9.1: DNE
zesty_ruby1.9.1: DNE
devel_ruby1.9.1: DNE

Patches_ruby2.0:
upstream_ruby2.0: needs-triage
precise_ruby2.0: DNE
precise/esm_ruby2.0: DNE
trusty_ruby2.0: not-affected (1.9.2 only)
trusty/esm_ruby2.0: DNE (trusty was not-affected [1.9.2 only])
utopic_ruby2.0: not-affected (1.9.2 only)
vivid_ruby2.0: DNE
vivid/stable-phone-overlay_ruby2.0: DNE
vivid/ubuntu-core_ruby2.0: DNE
wily_ruby2.0: DNE
xenial_ruby2.0: DNE
yakkety_ruby2.0: DNE
zesty_ruby2.0: DNE
devel_ruby2.0: DNE

Patches_ruby2.1:
upstream_ruby2.1: not-affected (1.9.2 only)
precise_ruby2.1: DNE
precise/esm_ruby2.1: DNE
trusty_ruby2.1: DNE
trusty/esm_ruby2.1: DNE
utopic_ruby2.1: not-affected (1.9.2 only)
vivid_ruby2.1: not-affected (1.9.2 only)
vivid/stable-phone-overlay_ruby2.1: DNE
vivid/ubuntu-core_ruby2.1: DNE
wily_ruby2.1: not-affected (1.9.2 only)
xenial_ruby2.1: DNE
yakkety_ruby2.1: DNE
zesty_ruby2.1: DNE
devel_ruby2.1: DNE

Patches_ruby2.2:
upstream_ruby2.2: not-affected (1.9.2 only)
precise_ruby2.2: DNE
precise/esm_ruby2.2: DNE
trusty_ruby2.2: DNE
trusty/esm_ruby2.2: DNE
utopic_ruby2.2: DNE
vivid_ruby2.2: DNE
vivid/stable-phone-overlay_ruby2.2: DNE
vivid/ubuntu-core_ruby2.2: DNE
wily_ruby2.2: not-affected (1.9.2 only)
xenial_ruby2.2: DNE
yakkety_ruby2.2: DNE
zesty_ruby2.2: DNE
devel_ruby2.2: DNE

Patches_ruby2.3:
upstream_ruby2.3: not-affected (1.9.2 only)
precise_ruby2.3: DNE
precise/esm_ruby2.3: DNE
trusty_ruby2.3: DNE
trusty/esm_ruby2.3: DNE
utopic_ruby2.3: DNE
vivid_ruby2.3: DNE
vivid/stable-phone-overlay_ruby2.3: DNE
vivid/ubuntu-core_ruby2.3: DNE
wily_ruby2.3: DNE
xenial_ruby2.3: not-affected (1.9.2 only)
esm-infra/xenial_ruby2.3: not-affected (1.9.2 only)
yakkety_ruby2.3: not-affected (1.9.2 only)
zesty_ruby2.3: not-affected (1.9.2 only)
devel_ruby2.3: not-affected (1.9.2 only)