Ruby News

Ruby 1.9.2-p320 is released

Sat, 21 Apr 2012 23:21:28 GMT

Ruby 1.9.2-p320 is released.

This release include Security Fix for RubyGems: SSL server verification failure for remote repository. And many bugs are fixed in this release.

Security Fix for RubyGems: SSL server verification failure for remote repository

This release includes two security fixes in RubyGems.

Turn on verification of server SSL certs
Disallow redirects from https to http

Users who uses https source in .gemrc or /etc/gemrc are encouraged to upgrade to 1.9.2-p320 or 1.9.3-p194.

Following is excerpted from RubyGems 1.8.23 release note [1].

"This release increases the security used when RubyGems is talking to an https server. If you use a custom RubyGems server over SSL, this release will cause RubyGems to no longer connect unless your SSL cert is globally valid.

You can configure SSL certificate usage in RubyGems through the :ssl_ca_cert and :ssl_verify_mode options in ~/.gemrc and /etc/gemrc. The recommended way is to set :ssl_ca_cert to the CA certificate for your server or a certificate bundle containing your CA certification.

You may also set :ssl_verify_mode to 0 to completely disable SSL certificate checks, but this is not recommended."

Credit to John Firebaugh for reporting this issue.

[1] <URL:https://github.com/rubygems/rubygems/blob/1.8/History.txt>

Fixes

Security Fix for RubyGems: SSL server verification failure for remote repository
other bug fixes

See tickets and ChangeLog for details.

Downloads

<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p320.tar.bz2>
- SIZE: 8981382 bytes
- MD5: b226dfe95d92750ee7163e899b33af00
- SHA256: 6777f865cfa21ffdc167fcc4a7da05cb13aab1bd9e59bfcda82c4b32f75e6b51
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p320.tar.gz>
- SIZE: 11338691 bytes
- MD5: 5ef5d9c07af207710bd9c2ad1cef4b42
- SHA256: 39a1f046e8756c1885cde42b234bc608196e50feadf1d0f202f7634f4a4b1245
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p320.zip>
- SIZE: 12730896 bytes
- MD5: 0bdfd04bfeb0933c0bdcd00e4ea94c49
- SHA256: 83db9c86d5cf20bb91e625c3c9c1da8e61d941e1bc8ff4a1b9ea70c12f2972d3

Ruby 1.9.3-p194 is released

Fri, 20 Apr 2012 03:19:04 GMT

Ruby 1.9.3-p194 is released.

This release include Security Fix for RubyGems: SSL server verification failure for remote repository. And many bugs are fixed in this release.

Security Fix for RubyGems: SSL server verification failure for remote repository

This release includes two security fixes in RubyGems.

Turn on verification of server SSL certs
Disallow redirects from https to http

Users who uses https source in .gemrc or /etc/gemrc are encouraged to upgrade to 1.9.3-p194.

Following is excerpted from RubyGems 1.8.23 release note [1].

You may also set :ssl_verify_mode to 0 to completely disable SSL certificate checks, but this is not recommended."

Credit to John Firebaugh for reporting this issue.

[1] <URL:https://github.com/rubygems/rubygems/blob/1.8/History.txt>

Fixes

Security Fix for RubyGems: SSL server verification failure for remote repository
other bug fixes

See tickets and ChangeLog for details.

Downloads

<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p194.tar.bz2>
- SIZE: 9841223 bytes
- MD5: 2278eff4cfed3cbc0653bc73085caa34
- SHA256: a9d1ea9eaea075c60048369a63b35b3b5a06a30aa214a3d990e0bb71212db8fa
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p194.tar.gz>
- SIZE: 12432239 bytes
- MD5: bc0c715c69da4d1d8bd57069c19f6c0e
- SHA256: 46e2fa80be7efed51bd9cdc529d1fe22ebc7567ee0f91db4ab855438cf4bd8bb
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p194.zip>
- SIZE: 13898712 bytes
- MD5: 77e67b15234e442d4a3dcc450bc70fea
- SHA256: 77474cfb92385b3a0b4c346553048bc65bfe68d4f220128329671a0234cb124d

RubyTeach 2012

Tue, 10 Apr 2012 18:53:05 GMT

Vancouver, BC

May 29th to 31st, 2012

RubyTeach is part of DevTeach and it offer 3 days of training between May 29th and May 31st. A total of 11 sessions on Ruby and over 30 sessions on Web Development (jQuery, HTML5, CSS) and Agile. The best experts in the industry are presenting their knowledge and expertise. This is your chance to learn and network with the experts.

Learn more…

Matz Earns the FSF's 2011 Free Software Award

Thu, 29 Mar 2012 13:55:25 GMT

The Award for the Advancement of Free Software is given annually to an individual who has made a great contribution to the progress and development of free software, through activities that accord with the spirit of free software.

This year, it was given to Yukihiro Matsumoto (aka Matz), the creator of the Ruby programming language. Matz has worked on GNU, Ruby, and other free software for over 20 years…

Read the full article.

Ruby 1.9.3-p125 is released

Thu, 16 Feb 2012 12:03:49 GMT

Ruby 1.9.3-p125 is released.

This release include a security fixes of the Ruby OpenSSL extension. And many bugs are fixed in this release.

== Fixes

Fix for Ruby OpenSSL module: Allow "0/n splitting" as a prevention for the TLS BEAST attack
Fixed: LLVM/clang support [Bug #5076]
Fixed: GCC 4.7 support [Bug #5851]
other bug fixes

See tickets and ChangeLog for details.

== Downloads

NOTE: Repackaged on 2012-02-17 02:04:00 UTC to fix [Bug #6040].

http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p125.tar.bz2
- SIZE: 9733962 bytes
- MD5: 702529a7f8417ed79f628b77d8061aa5
- SHA256: c67a59443052b5a9219eb4cee3892bdfbc6f250f0c8e214e02256a4cc7ef5526
http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p125.tar.gz
- SIZE: 12278584 bytes
- MD5: e3ea86b9d3fc2d3ec867f66969ae3b92
- SHA256: 8b3c035cf4f0ad6420f447d6a48e8817e5384d0504514939aeb156e251d44cce
http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p125.zip
- SIZE: 13742164 bytes
- MD5: 2cff031a8801d91a0a0ca8e9a83e2ec8
- SHA256: c16423182227c765398723da2419e4e962076778ec5e39417fad564e413fde1d

Security Fix for Ruby OpenSSL module: Allow "0/n splitting" as a prevention for the TLS BEAST attack.

Thu, 16 Feb 2012 11:20:41 GMT

In OpenSSL, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option for SSL connection is used to prevent TLS-CBC-IV vulnerability described at [1]. It's known issue of TLSv1/SSLv3 but it attracts lots of attention these days as BEAST attack [2] (CVE-2011-3389). Ruby related topics are at our issue tracker [3].

Until now Ruby OpenSSL extension uses SSL_OP_ALL option, the combined option of OpenSSL for various bug workarounds that should be rather harmless, for all SSL connection by default. And it only allows users to add other options so you could not remove the feature that is included in SSL_OP_ALL option, like SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. It was intentional as it didn't expose constants like SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but we should allow to unset the option so that Ruby OpenSSL extension inserts empty fragments at the beginning of SSL connections (named "0/n splitting") to prevent the TLS BEAST attack.

This release defines additional constants and allows users to unset options in SSL_OP_ALL. Default option is still SSL_OP_ALL but you can setup the SSLSocket with doing "0/n splitting" for BEAST prevention like this.

ctx = SSLContext.new
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
SSLSocket.new(socket, ctx)

Credit to Apple for reporting this issue.

NOTE: Some SSL endpoints are known to have a bug that cannot handle "0/n splitting" correctly so we (and OpenSSL) do not set this as a default option. Please test SSL connectivity before enabling this in production environment. If the other endpoint you're connecting cannot handle "0/n splitting", you must use another workaround for preventing the TLS BEAST attack, like enforcing ciphersuite to use RC4. For details, please find discussions and resources around CVE-2011-3389.

Denial of service attack was found for Ruby's Hash algorithm (CVE-2011-4815)

Wed, 28 Dec 2011 13:25:41 GMT

Impact

This is something related to computational complexity. Specially crafted series of strings that intentionally collide their hash values each other was found. With such sequences an attacker can issue a denial of service attack by, for instance, giving them as POST parameters of HTTP requests for your Rails application.

Detailed description

The situation is similar to the one found for Perl in 2003. In 1.8 series of Ruby, we use a deterministic hash function to hash a string. Here the "deterministic" means no other bits of information than the input string itself is involved to generate a hash value. So you can precalculate a string's hash value beforehand. By collecting a series of strings that have the identical hash value, an attacker can let ruby process collide bins of hash tables (including Hash class instances). Hash tables' amortized O(1) attribute depends on uniformity of distribution of hash values. By giving such crafted input, an attacker can let hash tables work much slower than expected (namely O(n²) to construct a n-elements table this case).

Affected versions

Ruby 1.8.7-p352 and all prior versions.

All Ruby 1.9 series are not affected by this kind of attack. They do not share hash implementations with Ruby 1.8 series.

Solution

Our solution is to scramble the string hash function by some PRNG-generated random bits. By doing so a string's hashed value is no longer deterministic. That is, a String#hash result is consistent only for current process lifetime and will generate a different number for the next boot. To break this situation an attacker must create a set of strings which are robust to this kind of scrambling. This is believed to be quite difficult.

Please upgrade to ruby 1.8.7-p357.

Notes

Bear in mind that the solution does not mean our hash algorithm is cryptographically secure. To put it simple, we fixed the hash table but we didn't fix String#hash weakness. An attacker could still exploit it once he / she got a pair of a string and its hash value returned from String#hash. You must not disclose String#hash outputs. If you need to do such things, consider using secure hash algorithms instead. Some of them (such as SHA256) are provided in Ruby's standard library.
For those who knows alternative hash algorithms inside our code base: we do not support them (they are disabled by default). By choosing them we consider you can read C, and you can understand what was wrong with the default one. Make sure that your choice is safe at your own risk.

Credit

Credit to Alexander Klink alexander.klink@nruns.com and Julian Waelde jwaelde@cdc.informatik.tu-darmstadt.de for reporting this issue.

EDIT some related links:

CVE-2011-4815 is assigned to this issue.
oCERT.org published an advisory about it.
JRuby released version 1.6.5.1 to fix the identical issue. Other ruby alternatives might also suffer.
Twitter account @hashDoS collects informations about hash colliision attacks.

Ruby 1.9.3 p0 is released

Mon, 31 Oct 2011 03:27:41 GMT

Ruby 1.9.3 p0 is released. This is the latest stable version of 1.9 series.

See ChangeLogs and NEWS for the descriptions.

Locations

<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p0.tar.bz2>

SIZE: 9554576 bytes

MD5: 65401fb3194cdccd6c1175ab29b8fdb8

SHA256: ca8ba4e564fc5f98b210a5784e43dfffef9471222849e46f8e848b37e9f38acf
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p0.tar.gz>

SIZE: 12223217 bytes

MD5: 8e2fef56185cfbaf29d0c8329fc77c05

SHA256: 3b910042e3561f4296fd95d96bf30322e53eecf083992e5042a7680698cfa34e
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p0.zip>

SIZE: 13691314 bytes

MD5: 437ac529a7872c8dcc956eab8e7e6f76

SHA256: 1be16d0172e9cf9e5078a7bee2465a9f3af431920e1e3d9417a4fc2ee074bca4

Upcoming Ruby Programming Competitions with Matz - Grand Prize - 1,000,000 JPY!

Wed, 12 Oct 2011 14:42:22 GMT

Dear Ruby Enthusiasts:

The Government of Fukuoka, Japan together with "Matz" Matsumoto would like to invite you to enter the following Ruby competitions. If you have developed an interesting Ruby program, please be encouraged to apply.

Silicon Valley Competition (November 3, 2011 in Silicon Valley), Entry Deadline: October 17, 2011

Selected finalists will present their Ruby programs in front of Matz on November 3, 2011 in Silicon Valley (exact location to be announced later). Matz, together with a panel of judges, will select the winner. The winner will be invited to Fukuoka, Japan for an award ceremony to be held in March 2012 (hotel and airfare paid). If you enter the Silicon Valley competition, you will also be automatically entered in the Fukuoka competition described below.

Fukuoka Competition - Grand Prize - 1 Million Yen! (March 2012 in Fukuoka, Japan), Entry Deadline: November 15, 2011

You can enter the Fukuoka competition exclusively, or enter the above Silicon Valley Competition and be automatically entered in the Fukuoka Competition. Matz and a group of panelists will select the winners of the Fukuoka Competition. The grand prize winner will be invited to attend the award ceremony in Fukuoka, Japan in March 2012 (hotel and airfare paid). The grand prize for the Fukuoka Competition is 1 million yen(approximately $13,000!). Past grand prize winners include Rhomobile (USA) and APEC Climate Center (Korea).

Programs entered in these competitions do not have to be written entirely in Ruby but should take advantage of the unique characteristics of Ruby. Projects must have been developed or completed within the past 12 months to be eligible.

Please visit the following Fukuoka website for additional details or to enter:

http://www.myfukuoka.com/events/2012-fukuoka-ruby-award-competition

Cheers.

Plans for 1.8.7

Thu, 06 Oct 2011 07:48:38 GMT

Hello, and thank you for your getting into our community.

I know most of you more or less use version 1.8.7 of Ruby today. It was released in 2008 and was a state-of-art Ruby release back then. -- I am proud to say it is no longer. Ruby's core developers have been actively working on their new version, 1.9, and they are about to release new 1.9.3. I have been using 1.9 for years and now I cannot go back to the days without it. Rich features. Faster execution. Rubygems integrated. Rails works perfectly. I cannot but say it is totally wonderful. Everyone please, use 1.9.

But at the same time I know you cannot switch to 1.9 right now for various reasons. Maybe you have already deployed your application with 1.8.7. Maybe you use a 3rd party library and that is for 1.8.7 only. Or maybe your Linux distribution only supports 1.8.7. So I hereby announce you how long you can stick to it. It is OK if you are using 1.8.7 today but after a while, it will be shut down.

Please be ready.

Schedule:

We continue to provide normal maintenance for 1.8.7 as usual, until June 2012. You can safely assume we provide bugfixes and no incompatibility shall be introduced.
After that we stop bugfixes. We still provide security fixes until June 2013, in case you are still using 1.8.7.
We will no longer support 1.8.7 in all senses after June 2013.