Ruby News http://www.ruby-online.co.uk/en/feeds/news.rss/ en-us 40 The latest news from ruby-online.co.uk. Arbitrary code execution vulnerabilities <p>Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.</p> <h2><a name="label-0" id="label-0">Impact</a></h2><!-- RDLabel: "Impact" --><p>With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code.</p><ul> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662">CVE-2008-2662</a></li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663">CVE-2008-2663</a></li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725">CVE-2008-2725</a></li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726">CVE-2008-2726</a></li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664">CVE-2008-2664</a></li> </ul><h2><a name="label-1" id="label-1">Vulnerable versions</a></h2><!-- RDLabel: "Vulnerable versions" --><dl> <dt><a name="label-2" id="label-2">1.8 series</a></dt><!-- RDLabel: "1.8 series" --> <dd> <ul> <li>1.8.4 and all prior versions</li> <li>1.8.5-p230 and all prior versions</li> <li>1.8.6-p229 and all prior versions</li> <li>1.8.7-p21 and all prior versions</li> </ul> </dd> <dt><a name="label-3" id="label-3">1.9 series</a></dt><!-- RDLabel: "1.9 series" --> <dd> <ul> <li>1.9.0-1 and all prior versions</li> </ul> </dd> </dl><h2><a name="label-4" id="label-4">Solution</a></h2><!-- RDLabel: "Solution" --><dl> <dt><a name="label-5" id="label-5">1.8 series</a></dt><!-- RDLabel: "1.8 series" --> <dd> Please upgrade to 1.8.5-p231, or 1.8.6-p230, or 1.8.7-p22. <ul> <li><a href="ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.5-p231.tar.gz">&lt;URL:ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.5-p231.tar.gz&gt;</a> (md5sum: e900cf225d55414bffe878f00a85807c)</li> <li><a href="ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.6-p230.tar.gz">&lt;URL:ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.6-p230.tar.gz&gt;</a> (md5sum: 5e8247e39be2dc3c1a755579c340857f)</li> <li><a href="ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.7-p22.tar.gz">&lt;URL:ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.7-p22.tar.gz&gt;</a> (md5sum: fc3ede83a98f48d8cb6de2145f680ef2)</li> </ul> </dd> <dt><a name="label-6" id="label-6">1.9 series</a></dt><!-- RDLabel: "1.9 series" --> <dd> Please upgrade to 1.9.0-2. <ul> <li><a href="ftp://ftp.ruby-online.co.uk/pub/ruby/1.9/ruby-1.9.0-2.tar.gz">&lt;URL:ftp://ftp.ruby-online.co.uk/pub/ruby/1.9/ruby-1.9.0-2.tar.gz&gt;</a> (md5sum: 2a848b81ed1d6393b88eec8aa6173b75)</li> </ul> </dd> </dl><p>These versions also fix the vulnerability of WEBrick (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1891">CVE-2008-1891</a>).</p><p>Please note that a package that corrects this weakness may already be available through your package management software.</p><h2><a name="label-7" id="label-7">Credit</a></h2><!-- RDLabel: "Credit" --><p>Credit to Drew Yao of Apple Product Security for disclosing the problem to Ruby Security Team.</p><h2><a name="label-8" id="label-8">Changes</a></h2><!-- RDLabel: "Changes" --><ul> <li>2008-06-21 00:29 +09:00 removed wrong CVE IDs (CVE-2008-2727, CVE-2008-2728).</li> </ul> Fri, 20 Jun 2008 12:54:43 GMT http://www.ruby-online.co.uk/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ http://www.ruby-online.co.uk/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ RubyNation 2008 <p>RubyNation is an annual Ruby conference serving the Virginia, West Virginia, Maryland, and Washington, DC areas. This year's RubyNation will happen on August 1&amp;2, 2008 in Herndon, VA. Please visit the <a href="http://rubynation.org/">RubyNation site</a> for more details.</p> Mon, 16 Jun 2008 22:05:00 GMT http://www.ruby-online.co.uk/en/news/2008/06/16/rubynation-2008/ http://www.ruby-online.co.uk/en/news/2008/06/16/rubynation-2008/ Ruby 1.8.7 has been released <p>Akinori <span class="caps">MUSHA</span> announced today that Ruby 1.8.7 has been released.</p> <p>The new version of Ruby includes many bug fixes, lots of feature enhancements backported from 1.9 and some performance improvements since 1.8.6 while maintaining stability and backward compatibility with the previous release to a high degree. See the bundled documentation for details about compatibility issues.</p> <p>The source code package is available in three formats at the following locations:</p> <ul> <li><a href="ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.7.tar.bz2">ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.7.tar.bz2</a></li> <li><a href="ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.7.tar.gz">ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.7.tar.gz</a></li> <li><a href="ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.7.zip">ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.7.zip</a></li> </ul> <p>Checksums:</p> <ul> <li><span class="caps">MD5</span> (ruby-1.8.7.tar.bz2) = f17f14c8d55e731b3ce1bc35c42f0a6c</li> <li><span class="caps">SHA256</span> (ruby-1.8.7.tar.bz2) = 65f2a862ba5e88bac7a78cff15bcb88d7534e741b51a1ffb79a0136c7041359a</li> <li><span class="caps">SIZE</span> (ruby-1.8.7.tar.bz2) = 4100024</li> </ul> <ul> <li><span class="caps">MD5</span> (ruby-1.8.7.tar.gz) = de906850f9a012c12ffc6e9f56fb1b66</li> <li><span class="caps">SHA256</span> (ruby-1.8.7.tar.gz) = 600dccf13bca3e4179fa6ff554220ce4ba67ffc72bce1ac3bf74c2599c03a0ca</li> <li><span class="caps">SIZE</span> (ruby-1.8.7.tar.gz) = 4799732</li> </ul> <ul> <li><span class="caps">MD5</span> (ruby-1.8.7.zip) = 14d3eb37b32e4a26966bdd80f361ccd2</li> <li><span class="caps">SHA256</span> (ruby-1.8.7.zip) = 805987ad167d8f9cac90e4b9342686e96a7708664111be27a3c6d680ce21d6c1</li> <li><span class="caps">SIZE</span> (ruby-1.8.7.zip) = 5851408</li> </ul> <p>For a brief list of user visible changes and a full list of all changes, see the bundled files named <span class="caps">NEWS</span> and ChangeLog, which are also available at the following locations:</p> <ul> <li>http://svn.ruby-online.co.uk/repos/ruby/tags/v1_8_7/NEWS</li> <li>http://svn.ruby-online.co.uk/repos/ruby/tags/v1_8_7/ChangeLog</li> </ul> Sat, 31 May 2008 16:55:58 GMT http://www.ruby-online.co.uk/en/news/2008/05/31/ruby-1-8-7-has-been-released/ http://www.ruby-online.co.uk/en/news/2008/05/31/ruby-1-8-7-has-been-released/ Server maintenance <p>Services on ruby-online.co.uk except SVN will be down for server maintenance on Fri May 23 02:00:00 UTC 2008. Sorry for inconvenience.</p> Thu, 22 May 2008 09:37:31 GMT http://www.ruby-online.co.uk/en/news/2008/05/22/server-maintenance-20080523/ http://www.ruby-online.co.uk/en/news/2008/05/22/server-maintenance-20080523/ Tulsa Ruby Workshop <p>I wanted to get the word out about the upcoming Tulsa Ruby Workshop. This will take place on April 26th, from 10 AM to 4 PM in Tulsa, OK.</p> <p>The workshop has a great line up of intro Ruby and Rail content. I&#8217;m honored to have been asked to give two of the talks that day: an introduction to Ruby talk as well as a Ruby from Java talk. There will also be a beginning Rails talk from Tulsa.rb&#8217;s commander and chief, an Engine Yard employee on hand sharing deployment advice, as well as other language specific migration talks.</p> <p>That&#8217;s pretty much a full day of Ruby learning and the best news is that attendance is free. They are even throwing in some food.</p> <p>If you&#8217;re going to be in the area, definitely come join us!</p> <p>You can find directions, a schedule, and other details about the workshop at:</p> <p><a href="http://tulsarb.org/wiki/Tulsa_Ruby_Workshop">http://tulsarb.org/wiki/Tulsa_Ruby_Workshop</a></p> <p>Hope to see you there.</p> Fri, 11 Apr 2008 16:31:11 GMT http://www.ruby-online.co.uk/en/news/2008/04/11/tulsa-ruby-workshop/ http://www.ruby-online.co.uk/en/news/2008/04/11/tulsa-ruby-workshop/ File access vulnerability of WEBrick <p>WEBrick, a standard library of Ruby to implement HTTP servers, has file access vulnerability.</p> <h2><a name="label-0" id="label-0">Impact</a></h2><!-- RDLabel: "Impact" --><p>The following programs are vulnerable.</p><ol> <li>Programs that publish files using <code>WEBrick::HTTPServer.new</code> with the <code>:DocumentRoot</code> option</li> <li>Programs that publish files using <code>WEBrick::HTTPServlet::FileHandler</code></li> </ol><p>Affected systems are:</p><ol> <li>Systems that accept backslash (\) as a path separator, such as Windows.</li> <li>Systems that use case insensitive filesystems such as NTFS on Windows, HFS on Mac OS X.</li> </ol><p>This vulnerability has the following impacts.</p><ol> <li><p>Attacker can access private files by sending a url with url encoded backslash (\). This exploit works only on systems that accept backslash as a path separator.</p> <p>Example:</p> <pre>http://[server]:[port]/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini</pre></li> <li>Attacker can access files that matches to the patterns specified by the <code>:NondisclosureName</code> option (the default value is <code>[".ht*", "*~"]</code>). This exploit works only on systems that use case insensitive filesystems.</li> </ol><h2><a name="label-1" id="label-1">Vulnerable versions</a></h2><!-- RDLabel: "Vulnerable versions" --><dl> <dt><a name="label-2" id="label-2">1.8 series</a></dt><!-- RDLabel: "1.8 series" --> <dd> <ul> <li>1.8.4 and all prior versions</li> <li>1.8.5-p114 and all prior versions</li> <li>1.8.6-p113 and all prior versions</li> </ul> </dd> <dt><a name="label-3" id="label-3">1.9 series</a></dt><!-- RDLabel: "1.9 series" --> <dd> <ul> <li>1.9.0-1 and all prior versions</li> </ul> </dd> </dl><h2><a name="label-4" id="label-4">Solution</a></h2><!-- RDLabel: "Solution" --><dl> <dt><a name="label-5" id="label-5">1.8 series</a></dt><!-- RDLabel: "1.8 series" --> <dd> Please upgrade to 1.8.5-p115 or 1.8.6-p114. <ul> <li><a href="ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.5-p115.tar.gz">&lt;URL:ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.5-p115.tar.gz&gt;</a> (md5sum: 20ca6cc87eb077296806412feaac0356)</li> <li><a href="ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.6-p114.tar.gz">&lt;URL:ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/ruby-1.8.6-p114.tar.gz&gt;</a> (md5sum: 500a9f11613d6c8ab6dcf12bec1b3ed3)</li> </ul> </dd> <dt><a name="label-6" id="label-6">1.9 series</a></dt><!-- RDLabel: "1.9 series" --> <dd> Please apply the following patch to lib/webrick/httpservlet/filehandler.rb. <ul> <li><a href="ftp://ftp.ruby-online.co.uk/pub/ruby/1.9/ruby-1.9.0-1-webrick-vulnerability-fix.diff">&lt;URL:ftp://ftp.ruby-online.co.uk/pub/ruby/1.9/ruby-1.9.0-1-webrick-vulnerability-fix.diff&gt;</a> (md5sum: b7b58aed40fa1609a67f53cfd3a13257)</li> </ul> </dd> </dl><p>Please note that a package that corrects this weakness may already be available through your package management software.</p><h2><a name="label-7" id="label-7">Credit</a></h2><!-- RDLabel: "Credit" --><p>Credit to Digital Security Research Group (<a href="http://dsec.ru/">&lt;URL:http://dsec.ru/&gt;</a>) for disclosing the problem to Ruby Security Team.</p> Mon, 03 Mar 2008 15:00:28 GMT http://www.ruby-online.co.uk/en/news/2008/03/03/webrick-file-access-vulnerability/ http://www.ruby-online.co.uk/en/news/2008/03/03/webrick-file-access-vulnerability/ Scotland on Rails 2008 <p>Scotland on Rails is pleased to announce that Conference2008 is open for registration. There is a limit to the number of registrations we&#8217;re able to accept so we&#8217;d advise you to get in quickly :-)</p> <p>You can register at <a href="http://scotlandonrails.com/register">http://scotlandonrails.com/register</a> The conference will take place on April 4th and 5th in Edinburgh (in a castle!), Scotland and will feature speakers from the UK, Europe, US and New Zealand including keynotes from Michael Koziarski and David Black. A list of sessions and speakers is available at <a href="http://scotlandonrails.com/talks">http://scotlandonrails.com/talks</a>.</p> <p>We&#8217;re also planning a charity event on Thursday 3rd. This will feature an beginner level intro to Ruby and Rails in the morning, and sessions from several of the speakers from the main conference (including Jim Weirich, Bruce Williams and Giles Bowkett) in the afternoon. All the money raised from that days event will be going to <span class="caps">CHAS</span> &#8211; The Childrens Hospice Association.</p> Wed, 27 Feb 2008 14:48:20 GMT http://www.ruby-online.co.uk/en/news/2008/02/27/scotland-on-rails-2008/ http://www.ruby-online.co.uk/en/news/2008/02/27/scotland-on-rails-2008/ European Ruby Confrence 2008 (EURUKO) <p><span class="caps">EURUKO</span> is an annual conference about the Ruby programming language with an informal atmosphere and lots of opportunities to listen, to talk, to hack and to have fun. This year it takes place in <a href="http://www.euruko2008.org/">Prague, Czech Republic, on March 29th to 30th.</a></p> Mon, 25 Feb 2008 15:33:16 GMT http://www.ruby-online.co.uk/en/news/2008/02/25/european-ruby-confrence-2008-euruko/ http://www.ruby-online.co.uk/en/news/2008/02/25/european-ruby-confrence-2008-euruko/ MountainWest RubyConf 2008 <p>Registration for <a href="http://mtnwestrubyconf.org">MountainWest RubyConf 2008</a> is now open. This year features an expanded <a href="http://mtnwestrubyconf.org/2008/speakers">schedule and list of speakers</a>.</p> <p>The conference will be in Salt Lake City, Utah, <span class="caps">USA</span>, on March 28 and 29, 2008. <a href="http://www.acteva.com/go/mtnwestruby">Registration costs just $100</a> and includes lunch both days, t-shirt, and more.</p> Mon, 04 Feb 2008 18:24:11 GMT http://www.ruby-online.co.uk/en/news/2008/02/04/mountainwest-rubyconf-2008/ http://www.ruby-online.co.uk/en/news/2008/02/04/mountainwest-rubyconf-2008/ Ruby Fool's Conference <p>The first <a href="http://jaoo.dk/ruby-cph/conference/">Ruby Fools conference</a> will be held on April Fools&#8217; Day in Copenhagen, Denmark. The conference organizers intend to cater a bit to both expert and novice developers, so any Rubyists in the area may want to consider attending.</p> Thu, 24 Jan 2008 14:24:47 GMT http://www.ruby-online.co.uk/en/news/2008/01/24/ruby-fools-conference/ http://www.ruby-online.co.uk/en/news/2008/01/24/ruby-fools-conference/