There is a denial of service vulnerability for Ruby applications that either use
cgi.rb, or run on Mongrel or Litespeed. This means that Rails is affected. The fix is described below.
…there has been an exploitable bug in the Ruby CGI library named cgi.rb, which allows anyone on the internet to send a single HTTP request to any Ruby program (not just Mongrel) using cgi.rb multipart parsing with a malformed MIME body that causes the Ruby process to go into a 99% CPU infinite loop, killing it.
The quickest fix is to update your mongrel version. You have to use
--source, though, because 0.3.14 isn’t in the main repository yet:
sudo gem install mongrel --source=http://mongrel.rubyforge.org/releases
Be warned. This gem breaks relative paths in
X-Sendfile headers with Apache 2.2 (and possibly others). Use
File.expand_path() to convert to absolute before you set the header.
See the mailing list message for alternative fixes if you don’t use mongrel or if upgrading the mongrel gem is not an option for you.
Thanks to cdcarter for the tip.