«

Synopsis
========

Security Fix Release json-1.1.7 for json_pure and json gems.

Description
===========

The JSON:ure:arser contains a vulnerability that may lead to
catastrophic backtracking in one of its regular expressions. This
vulnerability doesn't affect the JSON::Ext:arser or Rail's
Active::Support::JSON. Ruby 1.9.1 (but not Ruby 1.9 trunk) contains
the vulnerable json/pure code as well, so if you want to use the pure
parser you should update to a newer version or use the json gem 1.1.7
version.


Impact
======

An attacker can cause a denial of service attack by passing a
specially designed string into the JSON:ure:arser#parse method.

Affected versions
=================

- versions 1.1.0-1.1.6 of the JSON:ure:arser

Credit
======

Thanks to Bartosz Blimke for reporting this bug.

Changes
=======

2009-06-29 (1.1.7)
* Security Fix for JSON:ure:arser. A specially designed string
could cause catastrophic backtracking in one of the parser's
regular expressions in earlier 1.1.x versions. JSON::Ext:arser
isn't affected by this issue. Thanks to Bartosz Blimke
<> for reporting this problem.
* This release also uses a less strict ruby version requirement for
the creation of the mswin32 native gem.

Download
========

Version 1.1.7 of json and json_pure on
http://rubyforge.org/frs/?group_id=953