Ruby News

Denial of service attack was found for Ruby's Hash algorithm (CVE-2011-4815)

Wed, 28 Dec 2011 13:25:41 GMT

Impact

This is something related to computational complexity. Specially crafted series of strings that intentionally collide their hash values each other was found. With such sequences an attacker can issue a denial of service attack by, for instance, giving them as POST parameters of HTTP requests for your Rails application.

Detailed description

The situation is similar to the one found for Perl in 2003. In 1.8 series of Ruby, we use a deterministic hash function to hash a string. Here the "deterministic" means no other bits of information than the input string itself is involved to generate a hash value. So you can precalculate a string's hash value beforehand. By collecting a series of strings that have the identical hash value, an attacker can let ruby process collide bins of hash tables (including Hash class instances). Hash tables' amortized O(1) attribute depends on uniformity of distribution of hash values. By giving such crafted input, an attacker can let hash tables work much slower than expected (namely O(n²) to construct a n-elements table this case).

Affected versions

Ruby 1.8.7-p352 and all prior versions.

All Ruby 1.9 series are not affected by this kind of attack. They do not share hash implementations with Ruby 1.8 series.

Solution

Our solution is to scramble the string hash function by some PRNG-generated random bits. By doing so a string's hashed value is no longer deterministic. That is, a String#hash result is consistent only for current process lifetime and will generate a different number for the next boot. To break this situation an attacker must create a set of strings which are robust to this kind of scrambling. This is believed to be quite difficult.

Please upgrade to ruby 1.8.7-p357.

Notes

Bear in mind that the solution does not mean our hash algorithm is cryptographically secure. To put it simple, we fixed the hash table but we didn't fix String#hash weakness. An attacker could still exploit it once he / she got a pair of a string and its hash value returned from String#hash. You must not disclose String#hash outputs. If you need to do such things, consider using secure hash algorithms instead. Some of them (such as SHA256) are provided in Ruby's standard library.
For those who knows alternative hash algorithms inside our code base: we do not support them (they are disabled by default). By choosing them we consider you can read C, and you can understand what was wrong with the default one. Make sure that your choice is safe at your own risk.

Credit

Credit to Alexander Klink alexander.klink@nruns.com and Julian Waelde jwaelde@cdc.informatik.tu-darmstadt.de for reporting this issue.

EDIT some related links:

CVE-2011-4815 is assigned to this issue.
oCERT.org published an advisory about it.
JRuby released version 1.6.5.1 to fix the identical issue. Other ruby alternatives might also suffer.
Twitter account @hashDoS collects informations about hash colliision attacks.

Ruby 1.9.3 p0 is released

Mon, 31 Oct 2011 03:27:41 GMT

Ruby 1.9.3 p0 is released. This is the latest stable version of 1.9 series.

See ChangeLogs and NEWS for the descriptions.

Locations

<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p0.tar.bz2>

SIZE: 9554576 bytes

MD5: 65401fb3194cdccd6c1175ab29b8fdb8

SHA256: ca8ba4e564fc5f98b210a5784e43dfffef9471222849e46f8e848b37e9f38acf
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p0.tar.gz>

SIZE: 12223217 bytes

MD5: 8e2fef56185cfbaf29d0c8329fc77c05

SHA256: 3b910042e3561f4296fd95d96bf30322e53eecf083992e5042a7680698cfa34e
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p0.zip>

SIZE: 13691314 bytes

MD5: 437ac529a7872c8dcc956eab8e7e6f76

SHA256: 1be16d0172e9cf9e5078a7bee2465a9f3af431920e1e3d9417a4fc2ee074bca4

Upcoming Ruby Programming Competitions with Matz - Grand Prize - 1,000,000 JPY!

Wed, 12 Oct 2011 14:42:22 GMT

Dear Ruby Enthusiasts:

The Government of Fukuoka, Japan together with "Matz" Matsumoto would like to invite you to enter the following Ruby competitions. If you have developed an interesting Ruby program, please be encouraged to apply.

Silicon Valley Competition (November 3, 2011 in Silicon Valley), Entry Deadline: October 17, 2011

Selected finalists will present their Ruby programs in front of Matz on November 3, 2011 in Silicon Valley (exact location to be announced later). Matz, together with a panel of judges, will select the winner. The winner will be invited to Fukuoka, Japan for an award ceremony to be held in March 2012 (hotel and airfare paid). If you enter the Silicon Valley competition, you will also be automatically entered in the Fukuoka competition described below.

Fukuoka Competition - Grand Prize - 1 Million Yen! (March 2012 in Fukuoka, Japan), Entry Deadline: November 15, 2011

You can enter the Fukuoka competition exclusively, or enter the above Silicon Valley Competition and be automatically entered in the Fukuoka Competition. Matz and a group of panelists will select the winners of the Fukuoka Competition. The grand prize winner will be invited to attend the award ceremony in Fukuoka, Japan in March 2012 (hotel and airfare paid). The grand prize for the Fukuoka Competition is 1 million yen(approximately $13,000!). Past grand prize winners include Rhomobile (USA) and APEC Climate Center (Korea).

Programs entered in these competitions do not have to be written entirely in Ruby but should take advantage of the unique characteristics of Ruby. Projects must have been developed or completed within the past 12 months to be eligible.

Please visit the following Fukuoka website for additional details or to enter:

http://www.myfukuoka.com/events/2012-fukuoka-ruby-award-competition

Cheers.

Plans for 1.8.7

Thu, 06 Oct 2011 07:48:38 GMT

Hello, and thank you for your getting into our community.

I know most of you more or less use version 1.8.7 of Ruby today. It was released in 2008 and was a state-of-art Ruby release back then. -- I am proud to say it is no longer. Ruby's core developers have been actively working on their new version, 1.9, and they are about to release new 1.9.3. I have been using 1.9 for years and now I cannot go back to the days without it. Rich features. Faster execution. Rubygems integrated. Rails works perfectly. I cannot but say it is totally wonderful. Everyone please, use 1.9.

But at the same time I know you cannot switch to 1.9 right now for various reasons. Maybe you have already deployed your application with 1.8.7. Maybe you use a 3rd party library and that is for 1.8.7 only. Or maybe your Linux distribution only supports 1.8.7. So I hereby announce you how long you can stick to it. It is OK if you are using 1.8.7 today but after a while, it will be shut down.

Please be ready.

Schedule:

We continue to provide normal maintenance for 1.8.7 as usual, until June 2012. You can safely assume we provide bugfixes and no incompatibility shall be introduced.
After that we stop bugfixes. We still provide security fixes until June 2013, in case you are still using 1.8.7.
We will no longer support 1.8.7 in all senses after June 2013.

Ruby 1.9.3 rc1 has been released

Sat, 24 Sep 2011 23:23:42 GMT

Ruby 1.9.3 rc1 has been released. This is a second preview of next version and there're still minor known issues. But it will be fixed in next release, ruby 1.9.3-p0.

See ChangeLogs and NEWS for the descriptions.

Locations

<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-rc1.tar.bz2>

SIZE: 9552727 bytes

MD5: 26f0dc51ad981e12c58b48380112fa4d

SHA256: 951a8810086abca0e200f81767a518ee2730d6dc9b0cc2c7e3587dcfc3bf5fc8
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-rc1.tar.gz>

SIZE: 12224459 bytes

MD5: 46a2a481536ca0ca0b80ad2b091df68e

SHA256: bb1ae474d30e8681df89599520e766270c8e16450efdc01e099810f5e401eb94
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-rc1.zip>

SIZE: 13696517 bytes

MD5: 9c787f5e4963e54d1a11985a73467342

SHA256: 8e9219b7e6f78a9e171740cbbb3787047383c281c290504dd0e4d8318607a74b

ConFoo 2012: Call for Papers is Now Open!

Thu, 11 Aug 2011 14:05:11 GMT

We are looking for the best speakers willing to share their skills and experience with developers and managers.

This year, ConFoo is dedicated to software development, project management and best practices.

The technical part covers different aspects of Web development such as: Ruby , PHP, Python, .Net, Java, security, content management systems, frameworks, databases, system administration, Web standards, mobile development, accessibility and software architecture.

The management and best practices parts includes: project management, agile methodology, referencing (SEO), Web marketing analysis, social networking, and start-ups.

The conference will be held in Montreal from February 29th to March 2^nd, 2012 at the prestigious Hotel Hilton Bonaventure and will be preceded by a few days of training.

Talk proposals must received by September 2^nd, 2011.

Visit ConFoo.ca in order to submit a proposal.

Ruby 1.9.3 preview1 has been released

Mon, 01 Aug 2011 17:50:00 GMT

Ruby 1.9.3 preview1 has been released. This is a first preview of next version and there're still minor known issues. But it will be fixed in next release, Ruby 1.9.3-p0.

See ChangeLogs and NEWS for the descriptions.

Ruby Inside has published a review of this release.

Downloads

<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-preview1.tar.bz2>

SIZE: 9507455 bytes

MD5: 7d93dc773c5824f05c6e6630d8c4bf9b

SHA256: a15d7924d74a45ffe48d5421c5fc4ff83b7009676054fa5952b890711afef6fc
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-preview1.tar.gz>

SIZE: 12186410 bytes

MD5: 0f0220be4cc7c51a82c1bd8f6a0969f3

SHA256: 75c2dd57cabd67d8078a61db4ae86b22dc6f262b84460e5b95a0d8a327b36642
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-preview1.zip>

SIZE: 13696708 bytes

MD5: 960e08b2dc866c9987f17d0480de63a1

SHA256: 249483f88156b4ae65cd45742c6f6316660f793b78739657596c63b86f76aaeb

Differences from previous version

Previous Ruby versions was licensed under "GPLv2" and "Ruby" license but "2-clause BSDL"(AKA Simplfied BSD License) and "Ruby" lisence been replacement of them.

Encoding

SJIS changed to alias for Windows-31J, instead of Shift_JIS.

Standard Libraries

io/console: Add capabilities to IO instances.
openssl
test/unit: supports parallel test

Other changes

pathname and date are re-implemented on current preview.
A purpose of VM locking is changed.

Ruby 1.9.2-p290 is released

Fri, 15 Jul 2011 22:20:00 GMT

Ruby 1.9.2-p290 is released.

This release doesn't include any security fixes, but many bugs are fixed in this release.

See ChangeLog for details.

Downloads

<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p290.tar.bz2>

SIZE:

8811237 bytes

MD5:

096758c3e853b839dc980b183227b182

SHA256:

403b3093fbe8a08dc69c269753b8c6e7bd8f87fb79a7dd7d676913efe7642487
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p290.tar.gz>

SIZE:

11182217 bytes

MD5:

604da71839a6ae02b5b5b5e1b792d5eb

SHA256:

1cc817575c4944d3d78959024320ed1d5b7c2b4931a855772dacad7c3f6ebd7e
<URL:http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p290.zip>

SIZE:

12600100 bytes

MD5:

6060b410aa15d09ac13b93033b8b5c66

SHA256:

bce3d1c8c78fbafb6a0d67df2b8dec5322301f7b4b0f7594656ad689e9cb461d

Ruby 1.8.7-p352 released

Sat, 02 Jul 2011 10:58:25 GMT

Ruby 1.8.7 was released on June 1st, 2008. In commemoration of the third anniversary of Ruby 1.8.7, we have a new patchlevel release today. It includes several bug fixes. For the detail please read the ChangeLog.

Checksums:

MD5(ruby-1.8.7-p352.tar.gz)= 0c33f663a10a540ea65677bb755e57a7
SHA256(ruby-1.8.7-p352.tar.gz)= 2325b9f9ab2af663469d057c6a1ef59d914a649808e9f6d1a4877c8973c2dad0
SIZE(ruby-1.8.7-p352.tar.gz)= 4894181

MD5(ruby-1.8.7-p352.tar.bz2)= 0c61ea41d1b1183b219b9afe97f18f52
SHA256(ruby-1.8.7-p352.tar.bz2)= 9df4e9108387f7d24a6ab8950984d0c0f8cdbc1dad63194e744f1a176d1c5576
SIZE(ruby-1.8.7-p352.tar.bz2)= 4207576

MD5(ruby-1.8.7-p352.zip)= 6f745837e50a86fe0c924dccfa65b4ec
SHA256(ruby-1.8.7-p352.zip)= 24fd9eb8734fd81a51806d16bf3a5624e87a58b877a9a9affb1f6c6158cad5c9
SIZE(ruby-1.8.7-p352.zip)= 5993612

Thank you for all the efforts you made in these three years.

Planned maintenance of redmine.ruby-lang.org

Tue, 22 Feb 2011 02:10:33 GMT

Ruby's issue tracker will be down from 2011-02-23 10:00+09:00 to 24:00 for planned maintenance.

If you have any issue to report, I am afraid but please post a mail to ruby-core mailing list or wait for my finishing maintenance.