Ruby News

DoS vulnerability in BigDecimal

Tue, 09 Jun 2009 23:56:01 GMT

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.

Impact

An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:

BigDecimal("9E69999999").to_s("F")

Vulnerable versions

1.8 series

1.8.6-p368 and all prior versions
1.8.7-p160 and all prior versions

1.9 series

All 1.9.1 versions are not affected by this issue

Solution

1.8 series

Please upgrade to 1.8.6-p369 or ruby-1.8.7-p174.

Updates

Ruby 1.8.7-p173 had a problem. If you have already downloaded it, please get a newer one. Ruby 1.8.6-p369 do not have this bug.

Ruby 1.8.6 maintenance moved to Engine Yard

Sat, 23 May 2009 14:17:38 GMT

Recently we have a welcome, historic development that the Ruby 1.8.6's maintenance stewardship moved from me (Urabe Shyouhei) to Kirk Haines of Engine Yard.

Ruby 1.8.6 was released on 2007, and the Ruby core team has provided supports such as bug fixes and security alerts since then. As Ruby 1.8.6 became widely used, users asked us to last those support longer than we thought earlier. That was basically OK for us except one thing: who is to do that. Engine Yard kindly came forward to do the job, and we have worked on moving needed privileges from us to them. This announce is to finish that process.

This issue do not affect those current Ruby 1.8.6 users in the short run. Everything remains as they are. Users' benefit is that bug fixes and improvements for Ruby 1.8.6 lasts longer than we announced before. I believe that is what everyone want.

Ruby 1.9.1-p129 released

Tue, 12 May 2009 08:42:00 GMT

Ruby 1.9.1-p129 has been released.

This is a patch level release for Ruby 1.9.1. This fixes many bugs and two security vulnerabilities. This release contains security fix so we recommend all 1.9.1 users to upgrade your ruby.

Ruby 1.8.7-p160 and 1.8.6-p368 released

Sat, 18 Apr 2009 22:05:07 GMT

Updates to already-released Ruby 1.8.7 and 1.8.6 have been released.

This time we have fixed dozens of bugs, including workarounds for CVE-2007-1558. Many segfaults are also fixed. For a complete list of what has been fixed, please read the ChangeLogs.

The released tarballs are available at:

Checksums:

MD5(ruby-1.8.6-p368.tar.gz)= 508bf1911173ac43e4e6c31d9dc36b8f
SHA256(ruby-1.8.6-p368.tar.gz)= cc8cad3edd02d8c2de3c63a7d8a5cb85af39766dd47360a9c0f26339b101e2a0
SIZE(ruby-1.8.6-p368.tar.gz)= 4602095

MD5(ruby-1.8.6-p368.tar.bz2)= 623447c6d8c973193aae565a5538ccfc
SHA256(ruby-1.8.6-p368.tar.bz2)= 1bd398a125040261f8e9e74289277c82063aae174ada9f300d2bea0a42ccdcc1
SIZE(ruby-1.8.6-p368.tar.bz2)= 3967709

MD5(ruby-1.8.6-p368.zip)= 3d301a4b1aded1922570585bbece2c29
SHA256(ruby-1.8.6-p368.zip)= 8ba4bfd14d2914bfe2c18ffa9da084234be978fd0eee654f7a5c732a1beb0246
SIZE(ruby-1.8.6-p368.zip)= 5619494

MD5(ruby-1.8.7-p160.tar.gz)= 945398f97e2de6dd8ab6df68d10bb1a1
SHA256(ruby-1.8.7-p160.tar.gz)= 47c3d1ae6b3dbda230d04f258304516fc1da571fa757d5e1d8d0104b49045530
SIZE(ruby-1.8.7-p160.tar.gz)= 4818817

MD5(ruby-1.8.7-p160.tar.bz2)= f8ddb886b8a81cf005f53e9a9541091d
SHA256(ruby-1.8.7-p160.tar.bz2)= e524a086212d2142c03eb6b82cd602adcac9dcf8bf60049e89aa4ca69864984d
SIZE(ruby-1.8.7-p160.tar.bz2)= 4137518

MD5(ruby-1.8.7-p160.zip)= 06319bafa225df47fe26dfb52bc174a7
SHA256(ruby-1.8.7-p160.zip)= c56fefbb9e7e186bf9feeb864793ad2a53062ce871b47ab0170316e38f738995
SIZE(ruby-1.8.7-p160.zip)= 5876269

The ChangeLogs are bundled into those tarballs, and also available at the following locations:

Updates

Earlier version of this document said it fixed CVE-2008-1447, but that has already been included in 1.8.7-p160 / 1.8.6-p368. Thanks to Tomas Hoger.

MountainWest RubyConf Schedule

Wed, 25 Feb 2009 20:49:16 GMT

The schedule for the upcoming MountainWest RubyConf is available.

You can also keep track of the conference via twitter. Just follow @mwrc

MountainWest RubyConf is being held in Salt Lake City, UT, USA, March 13 and 14 2009.

Ruby 1.9.1 released

Fri, 30 Jan 2009 22:50:28 GMT

Ruby 1.9.1 is released. This is the first stable release of the Ruby 1.9 series.

Ruby 1.9 is a new series of Ruby. It is modern, faster, with clearer syntax, multilingualized, a much improved version of Ruby.

Ruby 1.8 series has been used since 2003 and many great products were born on it.

Today, the Ruby 1.9 series starts its history as the 1.8 series did.

Please note that Ruby 1.8 still remains. 1.8.8 will be released this year.

You can read about major changes since 1.8.7 here

7 bugs have been fixed since 1.9.1 RC2.

If you encounter any bugs or any problems, please report them using the official issue tracking system.

Download from

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p0.tar.bz2
SIZE: 7190271 bytes

MD5: 0278610ec3f895ece688de703d99143e

SHA256: de7d33aeabdba123404c21230142299ac1de88c944c9f3215b816e824dd33321

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p0.tar.gz
SIZE: 9025004 bytes

MD5: 50e4f381ce68c6de72bace6d75f0135b

SHA256: a5485951823c8c22ddf6100fc9e10c7bfc85fb5a4483844033cee0fad9e292cc

ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p0.zip
SIZE: 10273609 bytes

MD5: 3377d43b041877cda108e243c6b7f436

SHA256: 00562fce4108e5c6024c4152f943eaa7dcc8cf97d5c449ac102673a0d5c1943b

Server maintenance

Wed, 28 Jan 2009 07:38:06 GMT

Services of ruby-lang.org will be unavailable for the server maintenance between 01:00-06:00 on 31 January 2009 (UTC). Sorry for any inconvenience.

MountainWest RubyConf 2009 Proposal Deadline Approaching

Tue, 23 Dec 2008 16:24:46 GMT

MountainWest RubyConf 2009 will be held March 13-14, 2009, in Salt Lake City, Utah, USA.

The submission deadline for presentation proposals is midnight (MST) on December 31st, 2008.

Please send your proposal to proposals@mtnwestrubyconf.org.

Please see mtnwestrubyconf.org/ for more details.

RubyConf 2008 Summary Video

Thu, 27 Nov 2008 23:17:47 GMT

While RubyConf fans are waiting on the videos trickle in Confreaks, hold yourself over with the 31 minute summary video from Rails Envy. It's a perfect way to get an overview of what you missed at the conference.

Scotland on Rails 2009

Mon, 10 Nov 2008 14:55:53 GMT

Scotland on Rails is pleased to announce that Conference2009 will be held March 26-28 in Edinburgh, Scotland.

We are now accepting submissions. The closing date for submissions is December 1st 2008, so there’s still time! Please mail your plaintext proposals for 45 minute sessions to submissions@scotlandonrails.com.

Alternatively, if you are interested in sponsoring the conference, please mail sponsorship@scotlandonrails.com for a prospectus.

Lastly, if you wish to be notified when we open for registration, you can sign up on the site.

Come and enjoy all that Edinburgh has to offer (whisky! castle! volcano! ruby! whisky!) in March. We hope to see you there.