Benjamin Juang (ibneko) wrote in ruby_lang,
Benjamin Juang
ibneko
ruby_lang

Arbitrary code execution vulnerabilities

Official news post here:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

General rundown of exactly _what_ is being affected:
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

Discussion forums of patches and such:
http://www.ruby-forum.com/topic/157034

Now, my question to you guys, is... has anyone patched their copy of ruby? Anyone have any pointers on patching/upgrading ruby on a production site? My partner, the one who set everything up, is off on his honeymoon and can't be reached. The wannabe security professional side of me understands what the vulnerabilities mean and would very much like to patch and upgrade ruby. But from what I've read on the discussion forum, the releases are said to break stuff, which would be Very Bad™ for a live site.

Looks like we're running:
"Ubuntu 7.10" codename gutsy
ruby 1.8.6 (2007-06-07 patchlevel 36) [x86_64-linux]

crossposted to the ruby_lang community, although that looked relatively dead . . .

(This news is now about 5 days old...)
  • Post a new comment

    Error

    default userpic
  • 7 comments