PHWinfo - Afficher un message - Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix)

23/06/2008, 03h49

All versions of MRI Ruby that claim to fix the vulnerabilities are
either failing with segmentation faults or change the API in ways that
make it impossible to run vital libraries such as Rails 2.0.x and RSpec.
These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22, and
1.9.0-2. Unfortunately, the source code describing some of the proposed
fixes has been publicly available now for four days for crackers to
write their attacks, so we're in a race with the bad guys to deliver a
solution.

Is anyone working on fixing these bugs? If not, can we rally the
community to get a bounty and/or code sprint going?

Is there a way to convince the Ruby maintainers to run new code against
the publicly-available test suites provided by RubySpec, Rails and Rspec
before they ship a new version to avoid these problems in the future?

Is there anything else that those of us which lack the necessary C
expertise to fix these problems can do to with this effort?

Thank you.

-igal
--
Posted via http://www.ruby-forum.com/.

23/06/2008, 03h49	#6
Igal Koshevoy Messages: n/a Hébergeur:	Re: Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix) All versions of MRI Ruby that claim to fix the vulnerabilities are either failing with segmentation faults or change the API in ways that make it impossible to run vital libraries such as Rails 2.0.x and RSpec. These broken versions include: 1.8.5p231, 1.8.6p230, 1.8.7p22, and 1.9.0-2. Unfortunately, the source code describing some of the proposed fixes has been publicly available now for four days for crackers to write their attacks, so we're in a race with the bad guys to deliver a solution. Is anyone working on fixing these bugs? If not, can we rally the community to get a bounty and/or code sprint going? Is there a way to convince the Ruby maintainers to run new code against the publicly-available test suites provided by RubySpec, Rails and Rspec before they ship a new version to avoid these problems in the future? Is there anything else that those of us which lack the necessary C expertise to fix these problems can do to with this effort? Thank you. -igal -- Posted via http://www.ruby-forum.com/.