Ruby 1.8.4 released!

Ruby 1.8.4 has been released. The source is ftp://ftp.ruby-online.co.uk/pub/ruby/ruby-1.8.4.tar.gz, the md5sum is bd8c2e593e1fa4b01fd98eaf016329bb, and filesize is 4,312,965 bytes.

Ruby 1.8.4 preview 2 released

Ruby 1.8.4 preview 2 has been released. You can download the source here. The md5 sum is: e5a48054fb34f09da17e8e8f04b8c706

New Ruby Web Magazine Goes Live

The newest on-line resource for serious Ruby information has gone live. Ruby Code & Style, an on-line magazine from Artima, has just published issue #1. Check out the names on the advisory board. It’s a Who’s Who of everybody who’s anybody in the Ruby world. The premiere issue has three outstanding articles: First up, Jack Herrington, author of Code Generation in Action (Manning, 2002) and Podcasting Hacks (O’Reilly, 2005), has written Modular Architectures with Ruby Next, Austin Ziegler gives us Creating Printable Documents with Ruby And there’s a reprint of Ara Howard’s article, Linux Clustering with Ruby Queue: Small is Beautiful, which first appeared in Linux Journal but deserves repeat attention A big thanks to the advisory board, and especial to Bill Venners for starting this whole thing.

EuRuKo 2005

EuRuKo 2005, the European Ruby Conference, will be in Munich, Germany, October 15 and 16, 2005. If you have any means whatsoever to attend, go. It is still fairly small, and the intimate feeling of the conference is something special. You can see the current agenda here, but last year there were assorted spontaneous talks and discussions as well and it will likely be the same this year.

Ruby vulnerability in the safe level settings

The Ruby versions listed below have a vulnerability that allows an arbitrary code to run bypassing the safe level check.

Date published: 2005-10-02
Versions affected:
  Stable releases(1.8.x) - Versions 1.8.2 and earlier (fixed on Version 1.8.3)
  Old releases(1.6.x) - Versions 1.6.8 and earlier
  Development versions(1.9.0) - Versions 2005-09-01 and earlier (fixed on Version 2005-09-02)

Solution:

Users of stable releases (1.8.x) and development versions (1.9.0) should update Ruby to the latest versions listed above. Users of old releases (1.6.x) should update to the stable releases (1.8.x) or download the latest snapshot for 1.6.x from the URL below, build, and install.

ftp://ftp.ruby-online.co.uk/pub/ruby/snapshot-1.6.tar.gz

A patch from ruby-1.6.8.tar.gz is also provided at the following location:

ftp://ftp.ruby-online.co.uk/pub/ruby/1.6/1.6.8-patch1.gz

md5sum: 7a97381d61576e68aec94d60bc4cbbab

A patch from ruby-1.8.2.tar.gz is also provided at the following location:

ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/1.8.2-patch1.gz

md5sum: 4f32bae4546421a20a9211253da103d3

Description:

The Object Oriented Scripting Language Ruby supports safely executing an untrusted code with two mechanisms: safe level and taint flag on objects. A vulnerability has been found that allows bypassing these mechanisms. By using the vulnerability, arbitrary code can be executed beyond the restrictions specified in each safe level. Therefore, Ruby has to be updated on all systems that use safe level to execute untrusted code.

Reference:

JVN#62914675 http://jvn.jp/jp/JVN%2362914675/index.html (in Japanese)

Acknowledgment:

We thank Dr. Yutaka Oiwa, Research Center for Information Security, National Institute of Advanced Industrial Science and Technology, who found the vulnerability that allows bypassing safe level.

Ruby 1.8.3 released

Ruby 1.8.3 has been released. The source is here, and the md5sum is 63d6c2bddd6af86664e338b31f3189a6.

Registration for RubyConf 2005 is CLOSING soon.

Registration for RubyConf 2005 is CLOSING soon. The schedule is as follows:

  • Friday, September 16: last day for full registration (meals included)
  • Friday, September 23: last day for events-only registration (no meals)

So, all you stragglers, get over to the RubyConf site

RubyConf 2005 Registration: Time is running out

David Black announced on ruby-talk that there are now 136 registrants, from 12 countries, for RubyConf 2005. If you still have not registered, do it now. Full registration (i.e., full meal plans) ends in two weeks. Non-full may continue past that, but not forever. Go to the RubyConf site for complete registration details.

RubyConf 2005 Registration Tops 100

David A. Black recently reported on ruby-talk that over 100 people have registered for RubyConf 2005, to be held this coming October 14-16 in San Diego. If you haven’t yet registered, now is the time!

security@ruby-online.co.uk

Created security@ruby-online.co.uk . If you have found vulnerabilities in Ruby, please report to this address. security@ruby-online.co.uk is a private ML, and anyone can post to it without subscription.

XMLRPC.iPIMethods Vulnerability

On Fri Jun 17 2005, a vulnerability of XMLRPC.iPIMethods was reported in [ruby-core:05237]. Remote attackers can execute arbitrary commands by this vulnerability.

Affected Programs

Programs providing XML-RPC services by XMLRPC.iPIMethods are affected.

Fix

This vulnerability was already fixed in both the CVS HEAD and the ruby_1_8 branch.

Please apply this patch for ruby-1.8.2.

Upgrade to Debian GNU/Linux 3.1

We’ll upgrade this host to Debian GNU/Linux 3.1 (sarge) on Wed Jun 29 05:00:00 UTC 2005. Services will be stopped for a while. Successfully DONE. Thank you.

Anonymous CVS Service Restart

Anonymous CVS Service was restarted. Thank you.

Anonymous CVS Service Stopped

We stopped the anonymous CVS service because of Security Update of CVS. The service will be restarted after Debian package update.

Server Maintenance

We’ll be performing server maintenance on Thu Apr 14 03:00:00 UTC 2005. It may be down briefly.

RubyConf 2005 Preregistration now open

Preregistration for the upcoming Fifth Annual International Ruby Conference (RubyConf 2005) is now open. RubyConf 2005 will be held in San Diego, CA, October 14-16. You can preregister here. The full announcement is here.

RubyCentral CodeFest Grants Announced

Ruby Central announced the the recipients of its first CodeFest Grant Program. Five projects were awarded funding to support regional coding sessions, whose aim are to build working Ruby code to fill a void in the landscape of available Ruby libraries. Congratulations to the recipients!

Ruby Weekly News

Tim Sutherland announced the latest publication of the Ruby Weekly News. The Ruby Weekly News is a weekly summary of the ruby-talk mailing list. Tim recently resurrected it after an extended hiatus. The Ruby Weekly News is a great way to stay in touch with what’s happening in the world of ruby-talk as its volume continues to grow. Many thanks to Tim for this valuable resource!