Ruby News

Tulsa Ruby Workshop

Fri, 11 Apr 2008 16:31:11 GMT

I wanted to get the word out about the upcoming Tulsa Ruby Workshop. This will take place on April 26th, from 10 AM to 4 PM in Tulsa, OK.

The workshop has a great line up of intro Ruby and Rail content. I’m honored to have been asked to give two of the talks that day: an introduction to Ruby talk as well as a Ruby from Java talk. There will also be a beginning Rails talk from Tulsa.rb’s commander and chief, an Engine Yard employee on hand sharing deployment advice, as well as other language specific migration talks.

That’s pretty much a full day of Ruby learning and the best news is that attendance is free. They are even throwing in some food.

If you’re going to be in the area, definitely come join us!

You can find directions, a schedule, and other details about the workshop at:

http://tulsarb.org/wiki/Tulsa_Ruby_Workshop

Hope to see you there.

File access vulnerability of WEBrick

Mon, 03 Mar 2008 15:00:28 GMT

WEBrick, a standard library of Ruby to implement HTTP servers, has file access vulnerability.

Impact

The following programs are vulnerable.

Programs that publish files using WEBrick::HTTPServer.new with the :DocumentRoot option
Programs that publish files using WEBrick::HTTPServlet::FileHandler

Affected systems are:

Systems that accept backslash (\) as a path separator, such as Windows.
Systems that use case insensitive filesystems such as NTFS on Windows, HFS on Mac OS X.

This vulnerability has the following impacts.

Attacker can access private files by sending a url with url encoded backslash (\). This exploit works only on systems that accept backslash as a path separator.

Example:
```
http://[server]:[port]/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini
```
Attacker can access files that matches to the patterns specified by the :NondisclosureName option (the default value is [".ht*", "*~"]). This exploit works only on systems that use case insensitive filesystems.

Vulnerable versions

1.8 series

1.8.4 and all prior versions
1.8.5-p114 and all prior versions
1.8.6-p113 and all prior versions

1.9 series

1.9.0-1 and all prior versions

Solution

1.8 series

Please upgrade to 1.8.5-p115 or 1.8.6-p114.

<URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p115.tar.gz> (md5sum: 20ca6cc87eb077296806412feaac0356)
<URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p114.tar.gz> (md5sum: 500a9f11613d6c8ab6dcf12bec1b3ed3)

1.9 series

Please apply the following patch to lib/webrick/httpservlet/filehandler.rb.

<URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-1-webrick-vulnerability-fix.diff> (md5sum: b7b58aed40fa1609a67f53cfd3a13257)

Please note that a package that corrects this weakness may already be available through your package management software.

Credit

Credit to Digital Security Research Group (<URL:http://dsec.ru/>) for disclosing the problem to Ruby Security Team.

Scotland on Rails 2008

Wed, 27 Feb 2008 14:48:20 GMT

Scotland on Rails is pleased to announce that Conference2008 is open for registration. There is a limit to the number of registrations we’re able to accept so we’d advise you to get in quickly :-)

You can register at http://scotlandonrails.com/register The conference will take place on April 4th and 5th in Edinburgh (in a castle!), Scotland and will feature speakers from the UK, Europe, US and New Zealand including keynotes from Michael Koziarski and David Black. A list of sessions and speakers is available at http://scotlandonrails.com/talks.

We’re also planning a charity event on Thursday 3rd. This will feature an beginner level intro to Ruby and Rails in the morning, and sessions from several of the speakers from the main conference (including Jim Weirich, Bruce Williams and Giles Bowkett) in the afternoon. All the money raised from that days event will be going to CHAS – The Childrens Hospice Association.

European Ruby Confrence 2008 (EURUKO)

Mon, 25 Feb 2008 15:33:16 GMT

EURUKO is an annual conference about the Ruby programming language with an informal atmosphere and lots of opportunities to listen, to talk, to hack and to have fun. This year it takes place in Prague, Czech Republic, on March 29th to 30th.

MountainWest RubyConf 2008

Mon, 04 Feb 2008 18:24:11 GMT

Registration for MountainWest RubyConf 2008 is now open. This year features an expanded schedule and list of speakers.

The conference will be in Salt Lake City, Utah, USA, on March 28 and 29, 2008. Registration costs just $100 and includes lunch both days, t-shirt, and more.

Ruby Fool's Conference

Thu, 24 Jan 2008 14:24:47 GMT

The first Ruby Fools conference will be held on April Fools’ Day in Copenhagen, Denmark. The conference organizers intend to cater a bit to both expert and novice developers, so any Rubyists in the area may want to consider attending.

Ruby logo available

Wed, 09 Jan 2008 08:42:05 GMT

The official Ruby logo is available to download under Creative Commons Attribution-Share Alike license now. Available formats are Illustrator/SVG/PDF/PNG.

Ruby 1.9.0 Released

Tue, 25 Dec 2007 16:37:35 GMT

Matz announced the release of Ruby 1.9.0, a development release.

You can fetch it from:

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-0.tar.bz2

407cc7d0032e19eb12216c0ebc7f17b3

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-0.tar.gz

b20cce98b284f7f75939c09d5c8e846d

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-0.zip

78b2a5f9a81c5f6775002c4fb24d2d75

Net::HTTPS Vulnerability

Thu, 04 Oct 2007 04:26:46 GMT

A vulnerability on the net/https library was reported.

Detailed information should be found at the original advisory: <URL:http://www.isecpartners.com/advisories/2007-006-rubyssl.txt>

Impact

The vulnerability exists in the connect method within http.rb file which fails to call post_connection_check after the SSL connection has been negotiated. Since the server certificate's CN is not validated against the requested DNS name, the attacker can impersonate the target server in a SSL connection. The integrity and confidentiality benefits of SSL are thereby eliminated.

Vulnerable versions

1.8 series

1.8.4 and all prior versions
1.8.5-p113 and all prior versions
1.8.6-p110 and all prior versions

Development version (1.9 series)

All versions before 2006-09-23

Solution

1.8 series

Please upgrade to 1.8.6-p111 or 1.8.5-p114.

Then you should use Net::HTTP#enable_post_connection_check= to enable post_connection_check.

http = Net::HTTP.new(host, 443)
http.use_ssl = true
http.enable_post_connection_check = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
http.start {
  response = http.get("/")
}

Please note that a package that corrects this weakness may already be available through your package management software.

Development version (1.9 series)

Please update your Ruby to a version after 2006-09-23. The default value of Net::HTTP#enable_post_connection_check is true on Ruby 1.9.

Changes

2007-10-04 16:30 +09:00 added description for enable_post_connection_check to `Solution'.

Euruko 2007: The European Ruby Conference

Tue, 18 Sep 2007 17:55:24 GMT

Planning is underway for Euruko 2007

Euruko 2007 will be located in Vienna, Austria, on Saturday & Sunday 10th and 11th November, 2007.

There is an informal registration page and a general information site .