Hey all, patched ruby on my development and production environments to 1.8.6-p230 to address these new ruby vulnerabilities: http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ mongrel began segfaulting after restarting. Then tried ruby 1.8.7-p22 and upgrading to rails 2.1.0 (from rails 2.0.2), same issue. Had to revert back to the vulnerable GA 1.8.6. Running centos 4, mongrel 1.1.5 (tried 1.1.3, 1.1.4 as well, all same results). Any further info I can provide, I''d be glad to. Dave OSVDB.org
On Mon, Jun 23, 2008 at 3:59 PM, David Shettler <dave at opensecurityfoundation.org> wrote:> Hey all, patched ruby on my development and production environments > to 1.8.6-p230 to address these new ruby vulnerabilities: > > http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ >I still think those are not vulnerabilities but bugs, anyway...> mongrel began segfaulting after restarting. > > Then tried ruby 1.8.7-p22 and upgrading to rails 2.1.0 (from rails > 2.0.2), same issue. Had to revert back to the vulnerable GA 1.8.6. >1.8.7 is not a good thing to try, for your own health, stay away from it, even more for production. 1.8.6-p111 seems stable to me, even with those "vulnerabilities" around it.> Running centos 4, mongrel 1.1.5 (tried 1.1.3, 1.1.4 as well, all same results). > > Any further info I can provide, I''d be glad to. >I suggest you read this post from Ruby On Rails weblog: http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities More important: read the comments, are more valuable than the blog post itself. Regards, -- Luis Lavena AREA 17 - Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams
ah, excellent, thanks for pointing me there. Not sure why I didn''t check there first! And in terms of them being bugs vs vulnerabilities, well, I''m biased :) They have CVE''s, which will get them on our site (osvdb) -- which is ''vulnerable'' to these problems! Ironic, and hence my concern.> I still think those are not vulnerabilities but bugs, anyway... > > http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities > > More important: read the comments, are more valuable than the blog post itself. > > Regards, > -- > Luis Lavena > AREA 17
I''m using 1.8.6-p230 locally and will fix any problems I happen to come across. What architecture are you using? Also, 1.8.7 is a little shaky right now; I recommend avoiding it. Evan On Mon, Jun 23, 2008 at 10:28 AM, David Shettler <dave at opensecurityfoundation.org> wrote:> ah, excellent, thanks for pointing me there. Not sure why I didn''t > check there first! > > And in terms of them being bugs vs vulnerabilities, well, I''m biased :) > > They have CVE''s, which will get them on our site (osvdb) -- which is > ''vulnerable'' to these problems! Ironic, and hence my concern. > >> I still think those are not vulnerabilities but bugs, anyway... >> >> http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities >> >> More important: read the comments, are more valuable than the blog post itself. >> >> Regards, >> -- >> Luis Lavena >> AREA 17 > _______________________________________________ > Mongrel-users mailing list > Mongrel-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-users >-- Evan Weaver
> Also, 1.8.7 is a little shaky right now; I recommend avoiding it.This is off topic, but can your or Luis provide some information, or links, on what makes 1.8.7 "shaky" or unsuitable for production? thank you very much - jw
On Mon, Jun 23, 2008 at 9:02 PM, John Weir <john at smokinggun.com> wrote:>> Also, 1.8.7 is a little shaky right now; I recommend avoiding it. > > This is off topic, but can your or Luis provide some information, or links, > on what makes 1.8.7 "shaky" or unsuitable for production? >1.8.7 backported lot of stuff from 1.9, which broke RubySpec: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/16554 At the end something of this was solved, but there are still some guards around some 1.8.7 specific stuff. 1.8.7 also introduced bugs for some GUI tools, like wxRuby: http://rubyforge.org/pipermail/wxruby-development/2008-April/001287.html Regarding the patchelevel stuff, the own tests for ruby don''t pass, as I commented here: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/17364 So I cannot provide an updated version of One-Click Installer for 1.8.7 or 1.8.6-p230 if: 1.8.7 break packages that OCI bundles (wxRuby) and p230 cannot complete it''s own tests...> thank you very much - jw >No problem, take care!. -- Luis Lavena AREA 17 - Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams