Debian-LTS has issued an advisory on July 15: http://lwn.net/Alerts/694766/ They backported patches from 1.0.7. The Debian bugs have more information: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678512 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696015
Looks like we only have this package still because of pcs/glusterfs.
CC: (none) => thomas
Patched package uploaded for Mageia 5. Advisory: ======================== Updated ruby-eventmachine packages fix security vulnerability: EventMachine could be crashed by opening a high number of parallel connections (>= 1024) towards a server using the EventMachine engine. The crash happens due to the file descriptors overwriting the stack. References: http://lwn.net/Alerts/694766/ ======================== Updated packages in core/updates_testing: ======================== ruby-eventmachine-1.0.3-3.1.mga5 ruby-eventmachine-doc-1.0.3-3.1.mga5 from ruby-eventmachine-1.0.3-3.1.mga5.src.rpm
Assignee: pterjan => qa-bugs
Testing this on x86_64 using a ruby chat script found at http://eventmachine.rubyforge.org/file.GettingStarted.html This uses the eventmachine with a chat server to echo messages when users login via telnet localhost 10000. User input appears on the server terminal and on the separate client terminals. Tried this before and after the update and it worked perfectly. Limited the tests to two users. Not going to attempt 1024+ connections for the PoC. I would be glad of some direction on including external source code in the testing arsenal. Is there a wiki entry about that anywhere?
CC: (none) => tarazed25Whiteboard: (none) => MGA5-64-OK
Should have added that there are web application frameworks out there which rely on ruby eventmachine, such as Thin and Goliath.
Checked this over in a 32-bit vbox. It worked fine before and after the update. The eventmachine handled messages from host to vm, vm to vm and external machine to vm. Messages echoed on all the consoles. So, on the basis that the service continues to run properly after the update, this can be validated.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0276.html
Status: NEW => RESOLVEDResolution: (none) => FIXED