Here you will find information about security issues of Ruby.
Reporting Security Vulnerabilities
Security vulnerabilities should be reported via an email to firstname.lastname@example.org (the PGP public key), which is a private mailing list. Reported problems will be published after fixes.
The members of the mailing list are people who provide Ruby (Ruby committers and authors of other Ruby implementations, distributors, PaaS platformers). The members must be individual people, mailing lists are not permitted.
Here are recent issues:
- CVE-2015-1855: Ruby OpenSSL Hostname Verification
- CVE-2014-8090: Another Denial of Service XML Expansion
- CVE-2014-8080: Denial of Service XML Expansion
- Changed default settings of ext/openssl
- Dispute of Vulnerability CVE-2014-2734
- OpenSSL Severe Vulnerability in TLS Heartbeat Extension (CVE-2014-0160)
- Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525)
- Heap Overflow in Floating Point Parsing (CVE-2013-4164)
- Hostname check bypassing vulnerability in SSL client (CVE-2013-4073)
- Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065)
More known issues:
- Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821) published at 22 Feb, 2013.
- Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) published at 22 Feb, 2013.
- XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) published at 6 Feb, 2013.
- Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371) published at 10 Nov, 2012.
- Unintentional file creation caused by inserting a illegal NUL character (CVE-2012-4522) published at 12 Oct, 2012.
- $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) published at 12 Oct, 2012.
- Security Fix for RubyGems: SSL server verification failure for remote repository published at 20 Apr, 2012.
- Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack published at 16 Feb, 2012.
- Denial of service attack was found for Ruby's Hash algorithm (CVE-2011-4815) published at 28 Dec, 2011.
- Exception methods can bypass $SAFE published at 18 Feb, 2011.
- FileUtils is vulnerable to symlink race attacks published at 18 Feb, 2011.
- XSS in WEBrick (CVE-2010-0541) published at 16 Aug, 2010.
- Buffer over-run in ARGF.inplace_mode= published at 2 Jul, 2010.
- WEBrick has an Escape Sequence Injection vulnerability published at 10 Jan, 2010.
- Heap overflow in String (CVE-2009-4124) published at 7 Dec, 2009.
- DoS vulnerability in BigDecimal published at 9 Jun, 2009.
- DoS vulnerability in REXML published at 23 Aug, 2008.
- Multiple vulnerabilities in Ruby published at 8 Aug, 2008.
- Arbitrary code execution vulnerabilities published at 20 Jun, 2008.
- File access vulnerability of WEBrick published at 3 Mar, 2008.
- Net::HTTPS Vulnerability published at 4 Oct, 2007.
- Another DoS Vulnerability in CGI Library published at 4 Dec, 2006.
- DoS Vulnerability in CGI Library (CVE-2006-5467) published at 3 Nov, 2006.
- Ruby vulnerability in the safe level settings published at 2 Oct, 2005.