Arbitrary code execution vulnerabilities

Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.

Impact

With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code.

Vulnerable versions

1.8 series
  • 1.8.4 and all prior versions
  • 1.8.5-p230 and all prior versions
  • 1.8.6-p229 and all prior versions
  • 1.8.7-p21 and all prior versions
1.9 series
  • 1.9.0-1 and all prior versions

Solution

1.8 series
Please upgrade to 1.8.5-p231, or 1.8.6-p230, or 1.8.7-p22.
1.9 series
Please upgrade to 1.9.0-2.

These versions also fix the vulnerability of WEBrick (CVE-2008-1891).

Please note that a package that corrects this weakness may already be available through your package management software.

Credit

Credit to Drew Yao of Apple Product Security for disclosing the problem to Ruby Security Team.

Changes

  • 2008-06-21 00:29 +09:00 removed wrong CVE IDs (CVE-2008-2727, CVE-2008-2728).