Ruby on Rails Security Project

Exploring the Security of Rails and friends.

Ruby on Rails Security Project header image 2
What's happening here? The Rails Security Project wants to make Rails (applications) more secure. I, Heiko Webers, stand strong behind the true meaning of the word hacker, as opposed to a cracker. I write blog posts about Rails and security related topics, carry out security audits for your web applications, and I'm currently rewriting my book. Contact me at 42 -the AT sign- rorsecurity.info.

Ruby security vulnerabilities

June 24th, 2008 · No Comments

Here is the news from the Rails Log:

Drew Yao at Apple uncovered a handful of nasty security vulnerabilities affecting all current versions of Ruby. The details are still under wraps because an attacker can DoS you or possibly execute arbitrary code—holy crap! Better upgrade sooner than later.

According to the official Ruby security advisory, the vulnerable Rubies are:

  • 1.8.4 and earlier
  • 1.8.5-p230 and earlier
  • 1.8.6-p229 and earlier
  • 1.8.7-p21 and earlier

Those of us running Ruby 1.8.4 or earlier must upgrade to 1.8.5 or later for a fix. Those on 1.8.5-7 can grab the latest patchlevel release for a fix.

(Please note: Ruby 1.8.7 breaks backward compatibility and is only compatible with Rails 2.1 and later, so don’t go overboard!)

Tags: Ruby

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment