[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

Arbitrary code execution vulnerabilities

Mike Berrow

6/21/2008 4:47:00 AM

You may want to take immediate action on this.
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulner...

Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
though.
See comments at:
http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulne...
--
Posted via http://www.ruby-....
4 Answers

Peña, Botp

6/21/2008 6:31:00 AM

0

RnJvbTogTWlrZSBCZXJyb3cgW21haWx0bzptYmVycm93MUBwYWNiZWxsLm5ldF0gDQojIFNvbWUg
cGVvcGxlIHNlZW0gdG8gYmUgc2VlaW5nIHByb2JsZW1zIHdpdGggdGhlIDEuOC42LXAyMzAgdXBn
cmFkZSwNCiMgdGhvdWdoLg0KIyBTZWUgY29tbWVudHMgYXQ6DQojIGh0dHA6Ly93ZWJsb2cucnVi
eW9ucmFpbHMuY29tLzIwMDgvNi8yMS9tdWx0aXBsZS1ydWJ5LXNlY3VyaXR5DQojIC12dWxuZXJh
YmlsaXRpZXMNCg0KcnVieSBpcyBub3QgcmFpbHMuIHVwZ3JhZGluZyBydWJ5IGRvZXMgbm90IG1l
YW4geW91J3ZlIHVwZ3JhZGVkIHJhaWxzIHRvby4gd2FpdCBmb3IgdGhlIHJhaWxzIHVwZ3JhZGUu
IGFzayB0aGUgcmFpbHMgbGlzdCBvciBkaGguDQoNCmtpbmQgcmVnYXJkcyAtYm90cA0KDQoNCg==

Jeremy Kemper

6/21/2008 7:19:00 AM

0

On Fri, Jun 20, 2008 at 11:31 PM, Pe=F1a, Botp <botp@delmonte-phil.com> wro=
te:
> From: Mike Berrow [mailto:mberrow1@pacbell.net]
> # Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
> # though.
> # See comments at:
> # http://weblog.rubyonrails.com/2008/6/21/multiple-rub...
> # -vulnerabilities
>
> ruby is not rails. upgrading ruby does not mean you've upgraded rails too=
wait for the rails upgrade. ask the rails list or dhh.

You misunderstood. The latest patchlevels of 1.8.5 and 1.8.6 are segfaultin=
g.

jeremy

M. Edward (Ed) Borasky

6/21/2008 4:41:00 PM

0

Jeremy Kemper wrote:
> On Fri, Jun 20, 2008 at 11:31 PM, Peña, Botp <botp@delmonte-phil.com> wrote:
>> From: Mike Berrow [mailto:mberrow1@pacbell.net]
>> # Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
>> # though.
>> # See comments at:
>> # http://weblog.rubyonrails.com/2008/6/21/multiple-rub...
>> # -vulnerabilities
>>
>> ruby is not rails. upgrading ruby does not mean you've upgraded rails too. wait for the rails upgrade. ask the rails list or dhh.
>
> You misunderstood. The latest patchlevels of 1.8.5 and 1.8.6 are segfaulting.
>
> jeremy
>
>

1. Is this on simple reproducible cases or do you need Rails to get a
segfault?

2. gdb is your friend. :)

Mike Berrow

6/22/2008 5:35:00 AM

0

Situation summary from RubyInside
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilitie...

Updates on Drew Yaoâ??s Terrible Ruby Vulnerabilities [Matasano Security]
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulner...



--
Posted via http://www.ruby-....