Arbitrary code execution vulnerabilities

Mike_Berrow · 21 June 2008 04:46

You may want to take immediate action on this.
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
though.
See comments at:

···

--
Posted via http://www.ruby-forum.com/.

_Pena_Botp1 · 21 June 2008 06:31

# Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
# though.
# See comments at:
# http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security
# -vulnerabilities

ruby is not rails. upgrading ruby does not mean you've upgraded rails too. wait for the rails upgrade. ask the rails list or dhh.

kind regards -botp

···

From: Mike Berrow [mailto:mberrow1@pacbell.net]

Mike_Berrow · 22 June 2008 05:34

Situation summary from RubyInside
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

Updates on Drew Yao’s Terrible Ruby Vulnerabilities [Matasano Security]
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/

···

--
Posted via http://www.ruby-forum.com/.

Jeremy_Kemper1 · 21 June 2008 07:18

You misunderstood. The latest patchlevels of 1.8.5 and 1.8.6 are segfaulting.

jeremy

···

On Fri, Jun 20, 2008 at 11:31 PM, Peña, Botp <botp@delmonte-phil.com> wrote:

From: Mike Berrow [mailto:mberrow1@pacbell.net]
# Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
# though.
# See comments at:
# http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security
# -vulnerabilities

ruby is not rails. upgrading ruby does not mean you've upgraded rails too. wait for the rails upgrade. ask the rails list or dhh.

M_Edward_Ed_Borasky1 · 21 June 2008 16:41

Jeremy Kemper wrote:

···

On Fri, Jun 20, 2008 at 11:31 PM, Peña, Botp <botp@delmonte-phil.com> wrote:

From: Mike Berrow [mailto:mberrow1@pacbell.net]
# Some people seem to be seeing problems with the 1.8.6-p230 upgrade,
# though.
# See comments at:
# http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security
# -vulnerabilities

ruby is not rails. upgrading ruby does not mean you've upgraded rails too. wait for the rails upgrade. ask the rails list or dhh.

You misunderstood. The latest patchlevels of 1.8.5 and 1.8.6 are segfaulting.

jeremy

1. Is this on simple reproducible cases or do you need Rails to get a segfault?

2. gdb is your friend.

Topic		Replies	Views
Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix) ruby-talk	90	556	18 July 2008
Ruby 1.8.6 p230 - really a fix? ruby-talk	4	132	25 June 2008
Server crashes since ruby upgrade ruby-talk	1	171	24 June 2008
Workarounds for ruby 1.8.6 segmentations faults ruby-talk	11	167	2 July 2008
[ANN] Rails 1.1.6: Stronger fix, backports, and full disclosure ruby-talk	7	128	11 August 2006

Arbitrary code execution vulnerabilities

Related topics