PHWinfo - Afficher un message - Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix)

23/06/2008, 12h20

Ollivier Robert wrote:
> Try this instead:
> http://www.freebsd.org/cgi/cvsweb.cg.../ruby18/files/

Thanks for the assistance. That FreeBSD web site's UI sucks. Their "Get
diffs" button is broken and always returns nothing. To get a diff on a
file, one must click the "text" next to the revision number.

FreeBSD's backported patch seems insufficient and vulnerable. I come to
this conclusion because they only modified two files (sprintf.c and
string.c) -- but the Ruby changelog for this fix mentions other files
(e.g., array.c), and Zed Shaw identifies about a dozen files potentially
involved in the fix at
http://www.zedshaw.com/rants/the_big...abilities.html

So we still need to come up with either a backport for one of the
working versions of Ruby, or a fix to one of the currently released but
broken versions.

I've sent email to Stas, the FreeBSD maintainer of Ruby to warn them of
the potential security hole in their release and in hopes that they may
join this discussion.

-igal
--
Posted via http://www.ruby-forum.com/.

23/06/2008, 12h20	#11
Igal Koshevoy Messages: n/a Hébergeur:	Re: Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix) Ollivier Robert wrote: > Try this instead: > http://www.freebsd.org/cgi/cvsweb.cg.../ruby18/files/ Thanks for the assistance. That FreeBSD web site's UI sucks. Their "Get diffs" button is broken and always returns nothing. To get a diff on a file, one must click the "text" next to the revision number. FreeBSD's backported patch seems insufficient and vulnerable. I come to this conclusion because they only modified two files (sprintf.c and string.c) -- but the Ruby changelog for this fix mentions other files (e.g., array.c), and Zed Shaw identifies about a dozen files potentially involved in the fix at http://www.zedshaw.com/rants/the_big...abilities.html So we still need to come up with either a backport for one of the working versions of Ruby, or a fix to one of the currently released but broken versions. I've sent email to Stas, the FreeBSD maintainer of Ruby to warn them of the potential security hole in their release and in hopes that they may join this discussion. -igal -- Posted via http://www.ruby-forum.com/.