Ruby vulnerabilities announced in resolv, WEBrick and safe
Igal Koshevoy
> Multiple vulnerabilities have been discovered in Ruby[...]:
> * Several vulnerabilities in safe level[...]
> * DoS vulnerability in WEBrick[...]
> * Lack of taintness check in dl[...]
> * DNS spoofing vulnerability in resolv.rb[...]
>
> Vulnerable versions
> * 1.8.5 and all prior versions
> * 1.8.6-p285 and all prior versions
> * 1.8.7-p70 and all prior versions
Based on the above description, you'll only be affected if you're doing
DNS resolution from Ruby, running an exposed WEBrick server, or are
executing untrusted Ruby code.
However, be cautious about upgrading to this new release because it's
NOT just a bug fix -- it introduces a huge amount of changed code since
the 1.8.6p114 and p230 releases. If you need a stable, compatible Ruby
interpreter for production, please hold off on upgrading until more
quality assurance has been done -- almost all past releases required
unofficial patches.
If you don't have time to figure out which patches to use, I recommend
that you wait until the next Ruby Enterprise Edition (REE) release, or
for your OS vendor to ship updated packages that include the appropriate
patches.
But if you have time and would like to assist with quality-assurance and
debugging, please join the ruby-talk and ruby-core mailing lists and
read their recent archives to see what they need help with.
I've contacted the folks that I worked with on the last set of patches
that are in REE and most OS distros to see what they think should be
done. If the new official release works well enough, it should be
possible to rebase the unofficial patches to it and get a working
solution within the next few days. If the new official release has
issues, it may take a week or more to figure out how to backport its
fixes to the older p111 and p114 versions that almost everyone is using
as the base for their production interpreters.
-igal
M. Edward (Ed) Borasky
> http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
> > Multiple vulnerabilities have been discovered in Ruby[...]:
> > * Several vulnerabilities in safe level[...]
> > * DoS vulnerability in WEBrick[...]
> > * Lack of taintness check in dl[...]
> > * DNS spoofing vulnerability in resolv.rb[...]
> >
> > Vulnerable versions
> > * 1.8.5 and all prior versions
> > * 1.8.6-p285 and all prior versions
> > * 1.8.7-p70 and all prior versions
>
> Based on the above description, you'll only be affected if you're doing
> DNS resolution from Ruby, running an exposed WEBrick server, or are
> executing untrusted Ruby code.
>
> However, be cautious about upgrading to this new release because it's
> NOT just a bug fix -- it introduces a huge amount of changed code since
> the 1.8.6p114 and p230 releases. If you need a stable, compatible Ruby
> interpreter for production, please hold off on upgrading until more
> quality assurance has been done -- almost all past releases required
> unofficial patches.
Have there been any reports of problems with 1.8.6-p286? I thought it
passed all the tests/specs. As for 1.8.7-p71, well ... it's 1.8.7 ...
nuff sed. :)
> I've contacted the folks that I worked with on the last set of patches
> that are in REE and most OS distros to see what they think should be
> done. If the new official release works well enough, it should be
> possible to rebase the unofficial patches to it and get a working
> solution within the next few days. If the new official release has
> issues, it may take a week or more to figure out how to backport its
> fixes to the older p111 and p114 versions that almost everyone is using
> as the base for their production interpreters.
I entered a bug to get 1.8.6-p286 in Portage (and 1.8.7-p71 in the Ruby
overlay). It may be a day or so before a maintainer shows up, though.
--
M. Edward (Ed) Borasky
ruby-perspectives.blogspot.com
"A mathematician is a machine for turning coffee into theorems." --
Alfréd Rényi via Paul Erdős
Jesse Hallett
> On Sat, 2008-08-09 at 19:18 -0700, Igal Koshevoy wrote:
> > http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
> > > Multiple vulnerabilities have been discovered in Ruby[...]:
> > > * Several vulnerabilities in safe level[...]
> > > * DoS vulnerability in WEBrick[...]
> > > * Lack of taintness check in dl[...]
> > > * DNS spoofing vulnerability in resolv.rb[...]
> > >
> > > Vulnerable versions
> > > * 1.8.5 and all prior versions
> > > * 1.8.6-p285 and all prior versions
> > > * 1.8.7-p70 and all prior versions
> >
> > Based on the above description, you'll only be affected if you're doing
> > DNS resolution from Ruby, running an exposed WEBrick server, or are
> > executing untrusted Ruby code.
> >
> > However, be cautious about upgrading to this new release because it's
> > NOT just a bug fix -- it introduces a huge amount of changed code since
> > the 1.8.6p114 and p230 releases. If you need a stable, compatible Ruby
> > interpreter for production, please hold off on upgrading until more
> > quality assurance has been done -- almost all past releases required
> > unofficial patches.
>
> Have there been any reports of problems with 1.8.6-p286? I thought it
> passed all the tests/specs. As for 1.8.7-p71, well ... it's 1.8.7 ...
> nuff sed. :)
Yes, it apparently does pass RubySpec. Does this mean that the Ruby team
has been making a commendable effort to accommodate the needs of
professional web developers?
http://blog.phusion.nl/2008/08/10/ruby-enterprise-edition-186-20080810-released/
Also, the latest version of Ruby Enterprise Edition is out. It is based
an 1.8.6-p286, as explained at the above link.
Brian Ford
> On Sat, 2008-08-09 at 19:35 -0700, M. Edward (Ed) Borasky wrote:
>
>
>
> > On Sat, 2008-08-09 at 19:18 -0700, Igal Koshevoy wrote:
> > > > * Several vulnerabilities in safe level[...]
> > > > * DoS vulnerability in WEBrick[...]
> > > > * Lack of taintness check in dl[...]
> > > > * DNS spoofing vulnerability in resolv.rb[...]
>
> > > > Vulnerable versions
> > > > * 1.8.5 and all prior versions
> > > > * 1.8.6-p285 and all prior versions
> > > > * 1.8.7-p70 and all prior versions
>
> > > Based on the above description, you'll only be affected if you're doing
> > > DNS resolution from Ruby, running an exposed WEBrick server, or are
> > > executing untrusted Ruby code.
>
> > > However, be cautious about upgrading to this new release because it's
> > > NOT just a bug fix -- it introduces a huge amount of changed code since
> > > the 1.8.6p114 and p230 releases. If you need a stable, compatible Ruby
> > > interpreter for production, please hold off on upgrading until more
> > > quality assurance has been done -- almost all past releases required
> > > unofficial patches.
>
> > Have there been any reports of problems with 1.8.6-p286? I thought it
> > passed all the tests/specs. As for 1.8.7-p71, well ... it's 1.8.7 ...
> > nuff sed. :)
>
> Yes, it apparently does pass RubySpec. Does this mean that the Ruby team
> has been making a commendable effort to accommodate the needs of
> professional web developers?
whatever specs exist. The RubySpec is technically (and rather
arbitrarily) at version 0.6.0. So be careful making assumptions about
any implementation that "passes RubySpec" at this stage. There are
missing specs and we do not yet have any formal audit process (other
than the scores of folks working on and running the specs). More
assistance is always welcome. :) (http://rubyspec.org)
>
> http://blog.phusion.nl/2008/08/10/ruby-enterprise-edition-186-2008081...
> Also, the latest version of Ruby Enterprise Edition is out. It is based
> an 1.8.6-p286, as explained at the above link.
>
> > > I've contacted the folks that I worked with on the last set of patches
> > > that are in REE and most OS distros to see what they think should be
> > > done. If the new official release works well enough, it should be
> > > possible to rebase the unofficial patches to it and get a working
> > > solution within the next few days. If the new official release has
> > > issues, it may take a week or more to figure out how to backport its
> > > fixes to the older p111 and p114 versions that almost everyone is using
> > > as the base for their production interpreters.
>
> > I entered a bug to get 1.8.6-p286 in Portage (and 1.8.7-p71 in the Ruby
> > overlay). It may be a day or so before a maintainer shows up, though.
Brian