Ruby vulnerability?
植田 裕之
ueda at netforest.ad.jp
Sun Jul 30 03:13:25 UTC 2006
Dear Sirs,
> CVE report is very unpleasant: "Multiple unspecified vulnerabilities".
> Secunia has more professional report.
>
> RedHat is only vendor who released updates, but they are binary. So,
> there is no known fix now.
Following information maybe help you:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029
But matz(ruby creator) has not mentioned about this yet. And he has said
that he has no will to release patch for the vulnerabilites.
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-list/42575
The message is in Japanese and the content is as follows.
At present, a patch for these vulnerabilites is not ready
because the problems occur only with $SAFE=4. So the
vulnerabilities will be serious only when alll the following
conditions are satisfied.
* You use $SAFE=4 sandbox
* You run untrusted codes
> I hope ruby team will release 1.8.5 ASAP.
On 18th July, ruby 1.8.5 preview2 was released and release date of 1.8.5
will be near middle of August if they works on schedule.
Best regards.
-----
UEDA Hiroyuki <ueda at netforest.ad.jp>
More information about the freebsd-security
mailing list