Arch Linux Security Advisory ASA-201411-16 ========================================== Severity: Medium Date : 2014-11-17 CVE-ID : CVE-2014-8090 Package : ruby Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package ruby before version 2.1.5-1 is vulnerable to denial service through unrestricted XML entity expansion. Resolution ========== Upgrade to 2.1.5-1. # pacman -Syu "ruby>=2.1.5-1" The problem has been fixed upstream in version 2.1.5. Workaround ========== If you cannot upgrade Ruby, use this monkey patch as a workaround: class REXML::Document def document self end end Description =========== CPU exhaustion can occur as a result of recursive expansion with an empty string. When reading text nodes from an XML document, the REXML parser can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service. Impact ====== A remote attacker using an specially crafted XML document is able to perform denial of service through CPU and/or memory exhaustion. References ========== https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/ https://access.redhat.com/security/cve/CVE-2014-8090