Rails and Ruby 1.8.2 -- Is there a Security Issue?


#1

Hello,

Ruby-Lang.org mentions a safe level bypass vulnerability in Ruby 1.8.2
(http://www.ruby-lang.org/en/20051003.html). The Rails Web site suggests
running Rails 1.1 under either 1.8.2 or 1.8.4.

Is the security issue in 1.8.2 such that a Rails application wouldn’t
expose it to the public? Or, for security reasons, should Rails apps
(and any other publicly exposed usage of Ruby) be only run under1.8.4?
In other words, is using 1.8.2 + Rails safe?

Thank you,
Ben


#2

On Apr 6, 2006, at 6:54 AM, Ben Gribaudo wrote:

Ruby-Lang.org mentions a safe level bypass vulnerability in Ruby
1.8.2 (http://www.ruby-lang.org/en/20051003.html). The Rails Web
site suggests running Rails 1.1 under either 1.8.2 or 1.8.4.

Is the security issue in 1.8.2 such that a Rails application
wouldn’t expose it to the public? Or, for security reasons, should
Rails apps (and any other publicly exposed usage of Ruby) be only
run under1.8.4? In other words, is using 1.8.2 + Rails safe?

Rails doesn’t use $SAFE.


Eric H. - removed_email_address@domain.invalid - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com