Hello all. This is a security fix for ruby 1.8.7. A vulnerability was found in Ruby's BigDecimal stdlib. That enables attackers to cause ruby process segfault. This release is to fix that issue. For a detailed info on the vulnerability please refer: http://www.ruby-lang.org/en/news/2009/06/09/dos-vu... Released tarballs are available at: ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p173.tar.gz ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p173.tar.bz2 ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p173.zip and checksums: MD5(ruby-1.8.7-p173.tar.gz)= 74fbd67496ab7cc4de896d053f1507a5 SHA256(ruby-1.8.7-p173.tar.gz)= 89ad16522f0a2f91e83e418e63cd27ec0fa6e40b17118c29f48b24468490a662 SIZE(ruby-1.8.7-p173.tar.gz)= 4823322 MD5(ruby-1.8.7-p173.tar.bz2)= bf297efaa24ec6cdb74963c0f608f6f1 SHA256(ruby-1.8.7-p173.tar.bz2)= 7cec49bc4afb82188ca4bdb5a0400ec7ede6bf0937af9dd6acaca4e54b8aa760 SIZE(ruby-1.8.7-p173.tar.bz2)= 4144667 MD5(ruby-1.8.7-p173.zip)= ef2f79470286bf885aeadb10c32ff379 SHA256(ruby-1.8.7-p173.zip)= 92e55401af85363955bac9c08366a9e1b144d4e4f756cc3c552b4fd242bf540a SIZE(ruby-1.8.7-p173.zip)= 5881664 Thank you.
on 2009-06-10 02:23
on 2009-06-10 21:38
FYI, there is a bug in BigDecimal#to_f with this release. BigDecimal("10.03").to_f => 10.3 My colleague put together a temporary fix (the post is for Rails devs): http://bit.ly/65vKm Hope this helps some folks out. -- Barry Hess http://iridesco.com http://bjhess.com
on 2009-06-11 00:17
On Wed, Jun 10, 2009 at 2:38 PM, Barry Hess<firstname.lastname@example.org> wrote: > FYI, there is a bug in BigDecimal#to_f with this release. > > BigDecimal("10.03").to_f > => 10.3 > > My colleague put together a temporary fix (the post is for Rails devs): > > http://bit.ly/65vKm Why was this not caught in the original fix? I thought the ruby-core folks were running RubySpecs now... - Charlie
on 2009-06-11 00:28
On Jun 10, 2009, at 3:17 PM, Charles Oliver Nutter wrote: > > Why was this not caught in the original fix? I thought the ruby-core > folks were running RubySpecs now... > > - Charlie This was caught by the rubyspecs and is not broken in the release of ruby-1.8.6_p369. Cheers- Ezra Zygmuntowicz email@example.com
on 2009-06-11 02:44
On Wed, Jun 10, 2009 at 5:27 PM, Ezra Zygmuntowicz<firstname.lastname@example.org> wrote: > Â Â Â Â This was caught by the rubyspecs and is not broken in the release of > ruby-1.8.6_p369. Yes, I know that much from talking to Kirk... but I'm confused why there would be a breakage in any of the other versions if everyone's running RubySpecs. - Charlie
on 2009-06-11 08:12
Hi, In message "Re: Ruby 1.8.7-p173 released" on Thu, 11 Jun 2009 07:17:02 +0900, Charles Oliver Nutter <email@example.com> writes: |Why was this not caught in the original fix? I thought the ruby-core |folks were running RubySpecs now... It was me introduced a bug. I neglect to run the test this time. Unfortunately, 1.9 maintainers seemed to trust me, who they shouldn't trust. I hope we could learn something from this experience. I have just committed all the fixes (from 1.9) to 1.8 HEAD. matz.
on 2009-06-12 01:17
On Thu, Jun 11, 2009 at 1:11 AM, Yukihiro Matsumoto<firstname.lastname@example.org> wrote: > It was me introduced a bug. Â I neglect to run the test this time. > Unfortunately, 1.9 maintainers seemed to trust me, who they shouldn't > trust. Â I hope we could learn something from this experience. > > I have just committed all the fixes (from 1.9) to 1.8 HEAD. I know how that is, and I sympathize. Good thing Ruby has a great community to catch us when we stumble :) Let me know if there's any way I can help ruby-core devs include rubyspecs in day-to-day development. They only take about a minute to run. - Charlie
on 2009-06-12 10:07
Yukihiro Matsumoto wrote: > I have just committed all the fixes (from 1.9) to 1.8 HEAD. And I've backported that to 1.8.7. Can I release that right now? Or should I wait for next week? It's Friday after 17:00 in Japan. I'm personally OK to release, though.
on 2009-06-16 02:25
> Yukihiro Matsumoto wrote: >> I have just committed all the fixes (from 1.9) to 1.8 HEAD. > > And I've backported that to 1.8.7. Sorry for the breakage. I've put the release tarball on our ftp site (URL below). ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.tar.gz ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.tar.bz2 ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.zip Checksums: MD5(ruby-1.8.7-p174.tar.gz)= 18dcdfef761a745ac7da45b61776afa5 SHA256(ruby-1.8.7-p174.tar.gz)= da65d7d7c09ffc018fe5788338dc91ced08e0fb009a90c4bdeececfbd8c0fcc1 SIZE(ruby-1.8.7-p174.tar.gz)= 4823453 MD5(ruby-1.8.7-p174.tar.bz2)= 88c45aaf627b4404e5e4273cb03ba2ee SHA256(ruby-1.8.7-p174.tar.bz2)= 203978b6db1cc77a79ff03d141d162f6f17d86c3574f76de9eae9d0c8cb920bc SIZE(ruby-1.8.7-p174.tar.bz2)= 4144807 MD5(ruby-1.8.7-p174.zip)= 238b4744fc96d8cdba639ac2070333c4 SHA256(ruby-1.8.7-p174.zip)= 0b21024be3d77f13df938cbde5664d5aef3cf4cc168e331130e74980a4f9087d SIZE(ruby-1.8.7-p174.zip)= 5881715 Thank you.