BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Ruby interpreter vulnerabilities

| by Werner Schuster on Jun 22, 2008. Estimated reading time: 1 minute |
A security advisory was published, warning about serious vulnerabilities in Ruby 1.8.x and Ruby 1.9:
Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code. [..]
The affected versions:
1.8 series
 * 1.8.4 and all prior versions
 * 1.8.5-p230 and all prior versions
 * 1.8.6-p229 and all prior versions
 * 1.8.7-p21 and all prior versions
1.9 series
 * 1.9.0-1 and all prior versions
Jeremy Kemper points out on the Riding Rails blog:
Those of us running Ruby 1.8.4 or earlier must upgrade to 1.8.5 or later for a fix. Those on 1.8.5-7 can grab the latest patchlevel release for a fix.
(Please note: Ruby 1.8.7 breaks backward compatibility and is only compatible with Rails 2.1 and later, so don’t go overboard!)
The issues were discovered by Drew Yao of Apple Product Security.

It's recommended to upgrade, although it's recommended to make sure an upgrade won't break an application. Comments on Jeremy's blog entry, as well as RubyInside's coverage of the vulnerabilities point to possible compatibility/stability problems when upgrading to the fixed version of 1.8.6, which is 1.8.6-p230.

For more coverage of the vulnerabilities see "Updates on Drew Yao’s Terrible Ruby Vulnerabilities", which shows some ways to reproduce the problems locally, and points to the changes in the Ruby SVN repository.

As the vulnerabilities were found in the native code of 1.8.x and 1.9.x, other Ruby implementations like JRuby should not be affected.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and dont miss out on content that matters to you

BT