Arbitrary code execution vulnerabilities

Mike Berrow · Jun 21, 2008

You may want to take immediate action on this.
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
though.
See comments at:
http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities

PeÃ±a, Botp · Jun 21, 2008

RnJvbTogTWlrZSBCZXJyb3cgW21haWx0bzptYmVycm93MUBwYWNiZWxsLm5ldF0gDQojIFNvbWUg
cGVvcGxlIHNlZW0gdG8gYmUgc2VlaW5nIHByb2JsZW1zIHdpdGggdGhlIDEuOC42LXAyMzAgdXBn
cmFkZSwNCiMgdGhvdWdoLg0KIyBTZWUgY29tbWVudHMgYXQ6DQojIGh0dHA6Ly93ZWJsb2cucnVi
eW9ucmFpbHMuY29tLzIwMDgvNi8yMS9tdWx0aXBsZS1ydWJ5LXNlY3VyaXR5DQojIC12dWxuZXJh
YmlsaXRpZXMNCg0KcnVieSBpcyBub3QgcmFpbHMuIHVwZ3JhZGluZyBydWJ5IGRvZXMgbm90IG1l
YW4geW91J3ZlIHVwZ3JhZGVkIHJhaWxzIHRvby4gd2FpdCBmb3IgdGhlIHJhaWxzIHVwZ3JhZGUu
IGFzayB0aGUgcmFpbHMgbGlzdCBvciBkaGguDQoNCmtpbmQgcmVnYXJkcyAtYm90cA0KDQoNCg==

Jeremy Kemper · Jun 21, 2008

From: Mike Berrow [mailto:[email protected]]
# Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
# though.
# See comments at:
# http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security
# -vulnerabilities

ruby is not rails. upgrading ruby does not mean you've upgraded rails too=

wait for the rails upgrade. ask the rails list or dhh.

You misunderstood. The latest patchlevels of 1.8.5 and 1.8.6 are segfaultin=
g.

jeremy

M. Edward (Ed) Borasky · Jun 21, 2008

Jeremy said:
From: Mike Berrow [mailto:[email protected]]
# Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
# though.
# See comments at:
# http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security
# -vulnerabilities

ruby is not rails. upgrading ruby does not mean you've upgraded rails too. wait for the rails upgrade. ask the rails list or dhh.

Click to expand...

You misunderstood. The latest patchlevels of 1.8.5 and 1.8.6 are segfaulting.

jeremy

1. Is this on simple reproducible cases or do you need Rails to get a
segfault?

2. gdb is your friend.

Mike Berrow · Jun 22, 2008

Situation summary from RubyInside
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

Updates on Drew Yaoâ€™s Terrible Ruby Vulnerabilities [Matasano Security]
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/

Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix)	82	Jun 20, 2008
Ruby 1.8.7-p71 / 1.8.6-p286 released (Security Fix)	12	Aug 8, 2008
Updated (Unofficial) Ruby One-Click Installer	0	Jul 1, 2008
Server crashes since ruby upgrade	1	Jun 24, 2008
Ruby 1.8.6-p114 / 1.8.5-p115 released (Security Fix)	1	Mar 3, 2008
How to upgrade ruby to a specific version	8	Jul 6, 2009
Help with my responsive home page	2	Dec 14, 2022
Working on mobile css menu with plenty of frustration!	2	Dec 29, 2022

Arbitrary code execution vulnerabilities

Mike Berrow

PeÃ±a, Botp

Jeremy Kemper

M. Edward (Ed) Borasky

Mike Berrow

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads