New Ruby Web Magazine Goes Live

The newest on-line resource for serious Ruby information has gone live. Ruby Code & Style, an on-line magazine from Artima, has just published issue #1. Check out the names on the advisory board. It’s a Who’s Who of everybody who’s anybody in the Ruby world. The premiere issue has three outstanding articles: First up, Jack Herrington, author of Code Generation in Action (Manning, 2002) and Podcasting Hacks (O’Reilly, 2005), has written Modular Architectures with Ruby Next, Austin Ziegler gives us Creating Printable Documents with Ruby And there’s a reprint of Ara Howard’s article, Linux Clustering with Ruby Queue: Small is Beautiful, which first appeared in Linux Journal but deserves repeat attention A big thanks to the advisory board, and especial to Bill Venners for starting this whole thing.

Geschrieben von james am 11.10.2005

EuRuKo 2005

EuRuKo 2005, die Europäische Ruby Konferenz, wird nun in München am 15. und 16. Oktober 2005 stattfinden. Sie ist immer noch sehr klein und bietet eine intime Atmosphere mit sehr speziellen Themen. Die aktuelle Agenda gibt es hier, letztes Jahr wurden jedoch viele Präsentationen vorort spontan gehalten.

Geschrieben von james am 10.10.2005

Ruby vulnerability in the safe level settings

The Ruby versions listed below have a vulnerability that allows an arbitrary code to run bypassing the safe level check.

Date published: 2005-10-02
Versions affected:
  Stable releases(1.8.x) - Versions 1.8.2 and earlier (fixed on Version 1.8.3)
  Old releases(1.6.x) - Versions 1.6.8 and earlier
  Development versions(1.9.0) - Versions 2005-09-01 and earlier (fixed on Version 2005-09-02)

Solution:

Users of stable releases (1.8.x) and development versions (1.9.0) should update Ruby to the latest versions listed above. Users of old releases (1.6.x) should update to the stable releases (1.8.x) or download the latest snapshot for 1.6.x from the URL below, build, and install.

ftp://ftp.ruby-online.co.uk/pub/ruby/snapshot-1.6.tar.gz

A patch from ruby-1.6.8.tar.gz is also provided at the following location:

ftp://ftp.ruby-online.co.uk/pub/ruby/1.6/1.6.8-patch1.gz

md5sum: 7a97381d61576e68aec94d60bc4cbbab

A patch from ruby-1.8.2.tar.gz is also provided at the following location:

ftp://ftp.ruby-online.co.uk/pub/ruby/1.8/1.8.2-patch1.gz

md5sum: 4f32bae4546421a20a9211253da103d3

Description:

The Object Oriented Scripting Language Ruby supports safely executing an untrusted code with two mechanisms: safe level and taint flag on objects. A vulnerability has been found that allows bypassing these mechanisms. By using the vulnerability, arbitrary code can be executed beyond the restrictions specified in each safe level. Therefore, Ruby has to be updated on all systems that use safe level to execute untrusted code.

Reference:

JVN#62914675 http://jvn.jp/jp/JVN%2362914675/index.html (in Japanese)

Acknowledgment:

We thank Dr. Yutaka Oiwa, Research Center for Information Security, National Institute of Advanced Industrial Science and Technology, who found the vulnerability that allows bypassing safe level.

Geschrieben von Matz am 03.10.2005

<< Zurück zum 2005 Archiv

Downloads | Dokumentation | Bibliotheken | Community | Neuigkeiten | Über Ruby