[ANN] JRuby 1.6.5.1 Released

ruby-talk
1

if i run (the older) jruby w the -1.9 option, would i still be affected?

thanks for the update
-botp

···

On Wed, Dec 28, 2011 at 7:51 AM, Thomas E Enebo <tom.enebo@gmail.com> wrote:

JRuby 1.6.5.1 is a special release with a single patch applied to our
JRuby 1.6.5 source to correct CERT vulnerability CERT-2011-003
(http://www.ocert.org/advisories/ocert-2011-003.html\). All users are
recommended to upgrade to JRuby 1.6.5.1 to get this security fix.

2

-----Messaggio originale-----

···

Da: botp [mailto:botpena@gmail.com]
Inviato: giovedì 29 dicembre 2011 03:45
A: ruby-talk ML
Cc: user@jruby.codehaus.org; dev@jruby.codehaus.org
Oggetto: Re: [ANN] JRuby 1.6.5.1 Released

On Wed, Dec 28, 2011 at 7:51 AM, Thomas E Enebo <tom.enebo@gmail.com> wrote:

JRuby 1.6.5.1 is a special release with a single patch applied to our
JRuby 1.6.5 source to correct CERT vulnerability CERT-2011-003
(http://www.ocert.org/advisories/ocert-2011-003.html\). All users are
recommended to upgrade to JRuby 1.6.5.1 to get this security fix.

if i run (the older) jruby w the -1.9 option, would i still be affected?

thanks for the update
-botp

--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f

Sponsor:
ING DIRECT Conto Arancio. 4,20% per 12 mesi, zero spese, aprilo in due minuti!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid921&d)-12

3

(2011/12/29 11:44), botp wrote:

JRuby 1.6.5.1 is a special release with a single patch applied to our
JRuby 1.6.5 source to correct CERT vulnerability CERT-2011-003
(http://www.ocert.org/advisories/ocert-2011-003.html\). All users are
recommended to upgrade to JRuby 1.6.5.1 to get this security fix.

if i run (the older) jruby w the -1.9 option, would i still be affected?

Yes, jruby <= 1.6.5 uses sdbm Hash (good old CRuby 1.8's hash function)
both in 1.8/1.9 mode. Please upgrade to 1.6.5.1 which uses MurmurHash2
like CRuby 1.9 (both in 1.8/1.9)

If you can't upgrade, try to apply the patch for jruby 1.6 series[1].
If you can't apply the patch, you might be able to get help of the
latest Rack release[2]. If you're using WEBrick for production by
accident, here's an experimental patch[3].

[1] Comparing 9dcd3885...2f607d21 · jruby/jruby · GitHub
[2] Redirecting to Google Groups
[3] Comparing 0daf82f1...ruby_1_8_7 · nahi/webrick · GitHub

Best regards,
// NaHi

···

On Wed, Dec 28, 2011 at 7:51 AM, Thomas E Enebo <tom.enebo@gmail.com> wrote:

4

Thank you very much, NaHi.
best regards for the new year -botp

···

On Wed, Jan 4, 2012 at 10:08 AM, Hiroshi Nakamura <nahi@ruby-lang.org> wrote:

(2011/12/29 11:44), botp wrote:

if i run (the older) jruby w the -1.9 option, would i still be affected?

Yes, jruby <= 1.6.5 uses sdbm Hash (good old CRuby 1.8's hash function)
both in 1.8/1.9 mode. Please upgrade to 1.6.5.1 which uses MurmurHash2
Best regards,
// NaHi