Ruby is…

DoS vulnerability in REXML

There is a DoS vulnerability in the REXML library included in the Ruby Standard Library. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML using REXML.

Most Rails applications will be vulnerable because Rails parses user-provided XML using REXML by default.

Continue Reading…

Posted by Shugo Maeda on 23 Aug 2008

Ruby 1.8.7-p72 and 1.8.6-p287 released

Ruby 1.8.7-p72 and 1.8.6-p287 have been released. The last releases were incomplete, and the new releases include fixes of the previously announced vulnerability of dl.

The released source archives are available at:

• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.gz>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.bz2>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.zip>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.bz2>
• <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.zip>

Continue Reading…

Posted by Shugo Maeda on 11 Aug 2008