InfoQ

News

Ruby interpreter vulnerabilities

Posted by Werner Schuster on Jun 22, 2008 03:30 PM

Community
Ruby
Topics
Runtimes,
Ruby on Rails,
Security
Tags
Rails,
Vulnerabilities
A security advisory was published, warning about serious vulnerabilities in Ruby 1.8.x and Ruby 1.9:
Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code. [..]
The affected versions:
1.8 series
 * 1.8.4 and all prior versions
 * 1.8.5-p230 and all prior versions
 * 1.8.6-p229 and all prior versions
 * 1.8.7-p21 and all prior versions
1.9 series
 * 1.9.0-1 and all prior versions
Jeremy Kemper points out on the Riding Rails blog:
Those of us running Ruby 1.8.4 or earlier must upgrade to 1.8.5 or later for a fix. Those on 1.8.5-7 can grab the latest patchlevel release for a fix.
(Please note: Ruby 1.8.7 breaks backward compatibility and is only compatible with Rails 2.1 and later, so don’t go overboard!)
The issues were discovered by Drew Yao of Apple Product Security.

It's recommended to upgrade, although it's recommended to make sure an upgrade won't break an application. Comments on Jeremy's blog entry, as well as RubyInside's coverage of the vulnerabilities point to possible compatibility/stability problems when upgrading to the fixed version of 1.8.6, which is 1.8.6-p230.

For more coverage of the vulnerabilities see "Updates on Drew Yao’s Terrible Ruby Vulnerabilities", which shows some ways to reproduce the problems locally, and points to the changes in the Ruby SVN repository.

As the vulnerabilities were found in the native code of 1.8.x and 1.9.x, other Ruby implementations like JRuby should not be affected.

No comments

Reply

Exclusive Content

Typemock: Past, Present and Future

Eli Lopian of Typemock answers a few questions on Typemock origins and where Typemock is headed.

Agile in Practice: What Is Actually Going On Out There?

Scott Ambler talks about actual data resulting from surveys made during 2006-2008, showing how Agile is perceived and implemented within organizations.

Building Smart Windows Applications

From QCon 2008, Daniel Moth presents on using Visual Studio 2008 and .NET 3.5 to create compelling rich Windows applications.

Joshua Kerievsky about Industrial XP

Joshua Kerievsky, founder of Industrial Logic, talks about Industrial Extreme Programming which extends XP by including practices dealing with management, customers and developers.

Jeff Barr Discusses Amazon Web Services

Amazon Web Services (AWS) Evangelist Jeff Barr discusses SimpleDB, S3, EC2, SQS, cloud computing, how different Amazon services interact, origins of AWS, AWS globalization and the March AWS outage.

More Than Just Spin (Up) : Virtualization for the Enterprise and SaaS

Cloud services have helped bring virtualization to the forefront. Its full power however, also includes other benefits such as high availability, disaster recovery, and rapid provisioning.

Ruby Beyond Rails

John Lam talks about his path to dynamic languages, some of the problems of making IronRuby run fast, and how the DLR helps with implementing languages.

VMware Infrastructure 3 Book Excerpt and Author Interview

VMware Infrastructure 3: Advanced Technical Design Guide and Advanced Operations Guide provides a wealth of practical insights into setting up virtualization in todays corporate environments.