Arbitrary code execution vulnerabilities

You may want to take immediate action on this.
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
though.
See comments at:
http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities

From: Mike B. [mailto:[email protected]]

Some people seem to be seeing problems with the 1.8.6-p230 upgrade,

though.

See comments at:

Peak Obsession

-vulnerabilities

ruby is not rails. upgrading ruby does not mean you’ve upgraded rails
too. wait for the rails upgrade. ask the rails list or dhh.

kind regards -botp

Jeremy K. wrote:

You misunderstood. The latest patchlevels of 1.8.5 and 1.8.6 are segfaulting.

jeremy

  1. Is this on simple reproducible cases or do you need Rails to get a
    segfault?

  2. gdb is your friend. :slight_smile:

On Fri, Jun 20, 2008 at 11:31 PM, Peña, Botp [email protected]
wrote:

From: Mike B. [mailto:[email protected]]

Some people seem to be seeing problems with the 1.8.6-p230 upgrade,

though.

See comments at:

Peak Obsession

-vulnerabilities

ruby is not rails. upgrading ruby does not mean you’ve upgraded rails too. wait for the rails upgrade. ask the rails list or dhh.

You misunderstood. The latest patchlevels of 1.8.5 and 1.8.6 are
segfaulting.

jeremy

Situation summary from RubyInside
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

Updates on Drew Yao’s Terrible Ruby Vulnerabilities [Matasano Security]
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/