InfoQ

InfoQ

News

My Bookmarks

Login or Register to enable bookmarks for unlimited time.

The content has been bookmarked!

There was an error bookmarking this content! Please retry.

Ruby interpreter vulnerabilities

Posted by Werner Schuster on Jun 22, 2008

Sections
Development,
Architecture & Design
Topics
Ruby ,
Runtimes ,
Ruby on Rails ,
Security
Tags
Rails ,
Vulnerabilities
A security advisory was published, warning about serious vulnerabilities in Ruby 1.8.x and Ruby 1.9:
Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code. [..]
The affected versions:
1.8 series
 * 1.8.4 and all prior versions
 * 1.8.5-p230 and all prior versions
 * 1.8.6-p229 and all prior versions
 * 1.8.7-p21 and all prior versions
1.9 series
 * 1.9.0-1 and all prior versions
Jeremy Kemper points out on the Riding Rails blog:
Those of us running Ruby 1.8.4 or earlier must upgrade to 1.8.5 or later for a fix. Those on 1.8.5-7 can grab the latest patchlevel release for a fix.
(Please note: Ruby 1.8.7 breaks backward compatibility and is only compatible with Rails 2.1 and later, so don’t go overboard!)
The issues were discovered by Drew Yao of Apple Product Security.

It's recommended to upgrade, although it's recommended to make sure an upgrade won't break an application. Comments on Jeremy's blog entry, as well as RubyInside's coverage of the vulnerabilities point to possible compatibility/stability problems when upgrading to the fixed version of 1.8.6, which is 1.8.6-p230.

For more coverage of the vulnerabilities see "Updates on Drew Yao’s Terrible Ruby Vulnerabilities", which shows some ways to reproduce the problems locally, and points to the changes in the Ruby SVN repository.

As the vulnerabilities were found in the native code of 1.8.x and 1.9.x, other Ruby implementations like JRuby should not be affected.

No comments

Watch Thread Reply

Educational Content

New-age Transactional Systems - Not Your Grandpa's OLTP

John Hugg discusses high volume transaction processing applications with high and low frequency profiles, and how VoltDB can be used for that purpose.

Cool Code

Kevlin Henney examines code samples to see what can be learned from them starting from the premise that one won’t write great code unless he knows how to read it.

Collaboration: At the Extremities of Extreme

Jason Ayers share the observations he made watching a team of developers collaborating in real time on the same code base, pushing XP, pair programming and continuous integration to their extremes.

Yesod Web Framework

Michael Snoyman presents Yesod, a web framework written in Haskell and containing a web server, templating, ORM, libraries (templating, gravatar, etc.).

Transactions without Transactions

Richard Kreuter and Kyle Banker on how to avoid classical RDBMS transactional systems by using compensation mechanisms, transactional messaging or transactional procedures.

Attila Szegedi on JVM and GC Performance Tuning at Twitter

Attila Szegedi talks about performance tuning Java and Scala programs at Twitter: how to approach GC problems, the importance of asynchronous I/O, when to use MySQL/Cassandra/Redis, and much more.

10 tips on how to prevent business value risk

One category of risk that project teams need to ensure they address is business value failure – delivering a product that fails to provide value for the business investor.

Interview: Software Systems Architecture: Working With Stakeholders Using Viewpoints and Perspectives

InfoQ spoke to the authors of Software Systems Architecture on a couple of new topics, the System Context viewpoint and Agile, which have been added to the second edition.