Ruby vulnerability?

Sergey Matveychuk sem at FreeBSD.org
Sat Jul 29 19:50:22 UTC 2006


Shaun Amott wrote:
> On Sat, Jul 29, 2006 at 07:54:16PM +0200, Remko Lodder wrote:
>> Sergey Matveychuk wrote:
>>> Shaun Amott wrote:
>>>> On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote:
>>>>> FYI, Red Hat released an advisory today about a vulnerability in Ruby. So
>>>>> far it doesn't appear in the VuXML, but am I correct in presuming it will
>>>>> soon?
>>>>>
>>>> I've added it; thanks for the report.
>>>>
>>> Can we get patches somewhere? I can't find any.
>>>
>> It is said that the patches are available through the CVSweb
>> but all the information I could fine was in japanese, which is
>> a bit difficult to read for me (read: i do not speak nor read
>> japanese at all).
> 
> The CVE report seemed to imply that there was a fix in 1.8.5, which I
> assumed had therefore been released. But it seems this isn't the case.
> 
> The Ruby folks say they don't publish advisories until there is a fix
> ready; and there is no mention of this vulnerability on the website.
> 

CVE report is very unpleasant: "Multiple unspecified vulnerabilities".
Secunia has more professional report.

RedHat is only vendor who released updates, but they are binary. So,
there is no known fix now.

I hope ruby team will release 1.8.5 ASAP.

-- 
Dixi.
Sem.


More information about the freebsd-security mailing list