Rails and Ruby 1.8.2 -- Is there a Security Issue?

Hello,

Ruby-Lang.org mentions a safe level bypass vulnerability in Ruby 1.8.2
(http://www.ruby-lang.org/en/20051003.html). The Rails Web site suggests
running Rails 1.1 under either 1.8.2 or 1.8.4.

Is the security issue in 1.8.2 such that a Rails application wouldn’t
expose it to the public? Or, for security reasons, should Rails apps
(and any other publicly exposed usage of Ruby) be only run under1.8.4?
In other words, is using 1.8.2 + Rails safe?

Thank you,
Ben

On Apr 6, 2006, at 6:54 AM, Ben Gribaudo wrote:

Ruby-Lang.org mentions a safe level bypass vulnerability in Ruby
1.8.2 (http://www.ruby-lang.org/en/20051003.html). The Rails Web
site suggests running Rails 1.1 under either 1.8.2 or 1.8.4.

Is the security issue in 1.8.2 such that a Rails application
wouldn’t expose it to the public? Or, for security reasons, should
Rails apps (and any other publicly exposed usage of Ruby) be only
run under1.8.4? In other words, is using 1.8.2 + Rails safe?

Rails doesn’t use $SAFE.


Eric H. - [email protected] - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs