Bindings, Platforms, and Innovation
This presentation focuses on the Internet and separating myth from fact, history from the future, and the mundane from the imaginative. Bob Frankston presents a vision of what could and should be.
News
Ruby interpreter vulnerabilities
Posted by Werner Schuster on Jun 22, 2008 03:30 PM
A security advisory was published, warning about serious vulnerabilities in Ruby 1.8.x and Ruby 1.9:Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code. [..]The affected versions:
1.8 seriesJeremy Kemper points out on the Riding Rails blog:
* 1.8.4 and all prior versions
* 1.8.5-p230 and all prior versions
* 1.8.6-p229 and all prior versions
* 1.8.7-p21 and all prior versions
1.9 series
* 1.9.0-1 and all prior versions
Those of us running Ruby 1.8.4 or earlier must upgrade to 1.8.5 or later for a fix. Those on 1.8.5-7 can grab the latest patchlevel release for a fix.The issues were discovered by Drew Yao of Apple Product Security.
(Please note: Ruby 1.8.7 breaks backward compatibility and is only compatible with Rails 2.1 and later, so don’t go overboard!)
It's recommended to upgrade, although it's recommended to make sure an upgrade won't break an application. Comments on Jeremy's blog entry, as well as RubyInside's coverage of the vulnerabilities point to possible compatibility/stability problems when upgrading to the fixed version of 1.8.6, which is 1.8.6-p230.
For more coverage of the vulnerabilities see "Updates on Drew Yao’s Terrible Ruby Vulnerabilities", which shows some ways to reproduce the problems locally, and points to the changes in the Ruby SVN repository.
As the vulnerabilities were found in the native code of 1.8.x and 1.9.x, other Ruby implementations like JRuby should not be affected.
RelatedVendorContent
Usage Landscape: Enterprise Open Source Data Integration
Download the Free Adobe® Flex® Builder 3 Trial
No comments
Watch Thread Reply