Hello all. We have been releasing annual ruby versions for over a decade in this season. This is one for this year. We have fixed several bugs today. One of them is to fix CVE-2011-4815 (a more detailed situation about the issue is to follow this mail). So everyone who uses 1.8.7 should consider upgrading. For details, please read the ChangeLog as usual. ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p357.tar.gz ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p357.tar.bz2 ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p357.zip Checksums: MD5(ruby-1.8.7-p357.tar.gz)= b2b8248ff5097cfd629f5b9768d1df82 SHA256(ruby-1.8.7-p357.tar.gz)= 2fdcac4eb37b2eba1a4eef392a2922e07a9222fc86d781d92154d716434b962c SIZE(ruby-1.8.7-p357.tar.gz)= 4895136 MD5(ruby-1.8.7-p357.tar.bz2)= 3abd9e2a29f756a0d30c7bfca578cdeb SHA256(ruby-1.8.7-p357.tar.bz2)= 5c64b63a597b4cb545887364e1fd1e0601a7aeb545e576e74a6d8e88a2765a37 SIZE(ruby-1.8.7-p357.tar.bz2)= 4208157 MD5(ruby-1.8.7-p357.zip)= 23efe7ba50458f8df691c7fa07ce0578 SHA256(ruby-1.8.7-p357.zip)= b7672524ecac77e7f4bdbbfa5521109a0ef514d22bc726bad073d83b6044d445 SIZE(ruby-1.8.7-p357.zip)= 5994841 Have a happy new year,
on 2011-12-28 14:15
on 2011-12-28 14:35
Subject: Denial of service attack was found for Ruby's Hash algorithm Impact: This is something related to computational complexity. Specially crafted series of strings that intentionally collide their hash values each other was found. With such sequences an attacker can issue a denial of service attack by, for instance, giving them as POST parameters of HTTP requests for your Rails application. Detailed description: The situation is similar to the one found for Perl in 2003. In 1.8 series of Ruby, we use a deterministic hash function to hash a string. Here the "deterministic" means no other bits of information than the input string itself is involved to generate a hash value. So you can precalculate a string's hash value beforehand. By collecting a series of strings that have the identical hash value, an attacker can let ruby process collide bins of hash tables (including `Hash` class instances). Hash tables' amortized O(1) attribute depends on uniformity of distribution of hash values. By giving such crafted input, an attacker can let hash tables work much slower than expected (namely O(n2) to construct a n-elements table this case). Affected versions: - Ruby 1.8.7-p352 and all prior versions. All Ruby 1.9 series are not affected by this kind of attack. They do not share hash implementations with Ruby 1.8 series. Solution: Our solution is to scramble the string hash function by some PRNG-generated random bits. By doing so a string's hashed value is no longer deterministic. That is, a `String#hash` result is consistent only for current process lifetime and will generate a different number for the next boot. To break this situation an attacker must create a set of strings which are robust to this kind of scrambling. This is believed to be quite difficult. Please upgrade to the latest version of ruby via my previous post. http://mla.n-z.jp/?ruby-talk=391606 Notes: * Bear in mind that the solution _does_ _not_ _mean_ our hash algorithm is cryptographically secure. To put it simple, we fixed the hash table but we didn't fix `String#hash` weakness. An attacker could still exploit it once he / she got a pair of a string and its hash value returned from `String#hash`. You _must_ _not_ disclose `String#hash` outputs. If you need to do such things, consider using secure hash algorithms instead. Some of them (such as SHA256) are provided in Ruby's standard library. * For those who knows alternative hash algorithms inside our code base: we do not support them (they are disabled by default). By choosing them we consider you can read C, and you can understand what was wrong with the default one. Make sure that your choice is safe at your own risk. Credit: Credit to Alexander Klink <alexander.klink@nruns.com> and Julian Waelde <jwaelde@cdc.informatik.tu-darmstadt.de> for reporting this issue.
on 2011-12-29 07:54
-----Messaggio originale----- Da: Urabe Shyouhei [mailto:shyouhei@ruby-lang.org] Inviato: mercoled 28 dicembre 2011 14:14 A: ruby-talk ML; ruby-list@ruby-lang.org Oggetto: [ANN] ruby 1.8.7 patchlevel 357 released Hello all. We have been releasing annual ruby versions for over a decade in this season. This is one for this year. We have fixed several bugs today. One of them is to fix CVE-2011-4815 (a more detailed situation about the issue is to follow this mail). So everyone who uses 1.8.7 should consider upgrading. For details, please read the ChangeLog as usual. ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p357.tar.gz ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p357.tar.bz2 ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p357.zip Checksums: MD5(ruby-1.8.7-p357.tar.gz)= b2b8248ff5097cfd629f5b9768d1df82 SHA256(ruby-1.8.7-p357.tar.gz)= 2fdcac4eb37b2eba1a4eef392a2922e07a9222fc86d781d92154d716434b962c SIZE(ruby-1.8.7-p357.tar.gz)= 4895136 MD5(ruby-1.8.7-p357.tar.bz2)= 3abd9e2a29f756a0d30c7bfca578cdeb SHA256(ruby-1.8.7-p357.tar.bz2)= 5c64b63a597b4cb545887364e1fd1e0601a7aeb545e576e74a6d8e88a2765a37 SIZE(ruby-1.8.7-p357.tar.bz2)= 4208157 MD5(ruby-1.8.7-p357.zip)= 23efe7ba50458f8df691c7fa07ce0578 SHA256(ruby-1.8.7-p357.zip)= b7672524ecac77e7f4bdbbfa5521109a0ef514d22bc726bad073d83b6044d445 SIZE(ruby-1.8.7-p357.zip)= 5994841 Have a happy new year, -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Riccione Hotel 3 stelle in centro: Pacchetto Capodanno mezza pensione, animazione bimbi, zona relax, parcheggio. Scopri l'offerta solo per oggi... Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid983&d)-12
on 2011-12-29 07:55
-----Messaggio originale----- Da: Urabe Shyouhei [mailto:shyouhei@ruby-lang.org] Inviato: mercoled 28 dicembre 2011 14:33 A: ruby-talk ML; ruby-list@ruby-lang.org Oggetto: [ANN] CVE-2011-4815: Denial of service attack was found for Ruby's Hash algorithm Subject: Denial of service attack was found for Ruby's Hash algorithm Impact: This is something related to computational complexity. Specially crafted series of strings that intentionally collide their hash values each other was found. With such sequences an attacker can issue a denial of service attack by, for instance, giving them as POST parameters of HTTP requests for your Rails application. Detailed description: The situation is similar to the one found for Perl in 2003. In 1.8 series of Ruby, we use a deterministic hash function to hash a string. Here the "deterministic" means no other bits of information than the input string itself is involved to generate a hash value. So you can precalculate a string's hash value beforehand. By collecting a series of strings that have the identical hash value, an attacker can let ruby process collide bins of hash tables (including `Hash` class instances). Hash tables' amortized O(1) attribute depends on uniformity of distribution of hash values. By giving such crafted input, an attacker can let hash tables work much slower than expected (namely O(n2) to construct a n-elements table this case). Affected versions: - Ruby 1.8.7-p352 and all prior versions. All Ruby 1.9 series are not affected by this kind of attack. They do not share hash implementations with Ruby 1.8 series. Solution: Our solution is to scramble the string hash function by some PRNG-generated random bits. By doing so a string's hashed value is no longer deterministic. That is, a `String#hash` result is consistent only for current process lifetime and will generate a different number for the next boot. To break this situation an attacker must create a set of strings which are robust to this kind of scrambling. This is believed to be quite difficult. Please upgrade to the latest version of ruby via my previous post. http://mla.n-z.jp/?ruby-talk=391606 Notes: * Bear in mind that the solution _does_ _not_ _mean_ our hash algorithm is cryptographically secure. To put it simple, we fixed the hash table but we didn't fix `String#hash` weakness. An attacker could still exploit it once he / she got a pair of a string and its hash value returned from `String#hash`. You _must_ _not_ disclose `String#hash` outputs. If you need to do such things, consider using secure hash algorithms instead. Some of them (such as SHA256) are provided in Ruby's standard library. * For those who knows alternative hash algorithms inside our code base: we do not support them (they are disabled by default). By choosing them we consider you can read C, and you can understand what was wrong with the default one. Make sure that your choice is safe at your own risk. Credit: Credit to Alexander Klink <alexander.klink@nruns.com> and Julian Waelde <jwaelde@cdc.informatik.tu-darmstadt.de> for reporting this issue. -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Riccione Hotel 3 stelle in centro: Pacchetto Capodanno mezza pensione, animazione bimbi, zona relax, parcheggio. Scopri l'offerta solo per oggi... Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid983&d)-12
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.