Carview!

CARVIEW

MOTORHOMES

Select Language

HTTP/2 302 server: nginx date: Tue, 05 Aug 2025 01:45:18 GMT content-type: text/plain; charset=utf-8 content-length: 0 x-archive-redirect-reason: found capture at 20100302150050 location: https://web.archive.org/web/20100302150050/https://www.ruby-lang.org/en/feeds/news.rss server-timing: captures_list;dur=6.325539, exclusion.robots;dur=0.021413, exclusion.robots.policy;dur=0.009300, esindex;dur=0.012942, cdx.remote;dur=12.555700, LoadShardBlock;dur=423.886649, PetaboxLoader3.datanode;dur=135.431869, PetaboxLoader3.resolve;dur=214.495320 x-app-server: wwwb-app214 x-ts: 302 x-tr: 494 server-timing: TR;dur=0,Tw;dur=0,Tc;dur=1 set-cookie: wb-p-SERVER=wwwb-app214; path=/ x-location: All x-rl: 0 x-na: 0 x-page-cache: MISS server-timing: MISS x-nid: DigitalOcean referrer-policy: no-referrer-when-downgrade permissions-policy: interest-cohort=() HTTP/2 200 server: nginx date: Tue, 05 Aug 2025 01:45:18 GMT content-type: text/xml;charset=utf-8 x-archive-orig-date: Tue, 02 Mar 2010 15:00:50 GMT x-archive-orig-server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_ruby/1.2.6 Ruby/1.8.5(2006-08-25) mod_ssl/2.2.3 OpenSSL/0.9.8c x-archive-orig-connection: close cache-control: max-age=1800 x-archive-guessed-content-type: text/xml x-archive-guessed-charset: utf-8 memento-datetime: Tue, 02 Mar 2010 15:00:50 GMT link: ; rel="original", ; rel="timemap"; type="application/link-format", ; rel="timegate", ; rel="first memento"; datetime="Mon, 25 Sep 2006 03:21:35 GMT", ; rel="prev memento"; datetime="Thu, 21 Jan 2010 02:56:24 GMT", ; rel="memento"; datetime="Tue, 02 Mar 2010 15:00:50 GMT", ; rel="next memento"; datetime="Tue, 23 Mar 2010 00:01:26 GMT", ; rel="last memento"; datetime="Tue, 22 Jul 2025 14:55:00 GMT" content-security-policy: default-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: archive.org web.archive.org web-static.archive.org wayback-api.archive.org athena.archive.org analytics.archive.org pragma.archivelab.org wwwb-events.archive.org x-archive-src: 52_14_20100302143718_crawl102-c/52_14_20100302145009_crawl100.arc.gz server-timing: captures_list;dur=0.524668, exclusion.robots;dur=0.022391, exclusion.robots.policy;dur=0.010815, esindex;dur=0.011340, cdx.remote;dur=26.633810, LoadShardBlock;dur=187.021777, PetaboxLoader3.datanode;dur=191.007458, PetaboxLoader3.resolve;dur=81.261473, load_resource;dur=117.814789 x-app-server: wwwb-app214 x-ts: 200 x-tr: 385 server-timing: TR;dur=0,Tw;dur=0,Tc;dur=0 x-location: All x-rl: 0 x-na: 0 x-page-cache: MISS server-timing: MISS x-nid: DigitalOcean referrer-policy: no-referrer-when-downgrade permissions-policy: interest-cohort=() Ruby News https://www.ruby-lang.org/en/feeds/news.rss/ en-us 40 The latest news from Ruby-Lang.org. WEBrick has an Escape Sequence Injection vulnerability <p>A vulnerability was found on WEBrick, a part of Ruby's standard library. WEBrick lets attackers to inject malicious escape sequences to its logs, making it possible for dangerous control characters to be executed on a victim's terminal emulator.</p> <p>We already have a fix for it. Releases for every active branches are to follow this announce. But for a meantime, we recommend you to avoid looking at your WEBrick logs, until you update your WEBrick process.</p> <h2>Detailed description</h2> <p>Terminal escape sequences are used to allow various forms of interaction between a terminal and a inside process. The problem is that those sequences are not intended to be issued by untrusted sources; such as network inputs. So if a remote attacker could inject escape sequences into WEBrick logs, and a victim happen to consult them through his/her terminal, the attacker could take advantages of various <a href="https://marc.info/?l=bugtraq&m=104612710031920&w=2" title="Terminal Emulator Security Issues">weaknesses in terminal emulators</a>.</p> <p>And WEBrick fails to filter those terminal escape sequences.</p> <p>Example:</p> <pre><code>% xterm -e ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port=>8080).start' & % wget https://localhost:8080/%1b%5d%32%3b%6f%77%6e%65%64%07%0a </code></pre> <p>Watch out for the window title of xterm.</p> <h2>Affected versions</h2> <ul> <li>Ruby 1.8.6 patchlevel 383 and all prior versions</li> <li>Ruby 1.8.7 patchlevel 248 and all prior versions</li> <li>Development versions of Ruby 1.8 (1.8.8dev)</li> <li>Ruby 1.9.1 patchlevel 376 and all prior versions</li> <li>Development versions of Ruby 1.9 (1.9.2dev)</li> </ul> <h2>Solutions</h2> <ul> <li>Fixes for 1.8.6, 1.8.7, and 1.9.1 are to follow this announce. <ul> <li><strong>Update</strong> 1.8.7 pl. 249 was released to fix this issue. 1.8.7 users are encouraged to upgrade. <ul> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p249.tar.gz">ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p249.tar.gz</a></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p249.tar.bz2">ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p249.tar.bz2</a></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p249.zip">ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p249.zip</a></li> </ul></li> <li><strong>Update</strong> 1.9.1 pl. 378 was released to fix this issue. 1.9.1 users are encouraged to upgrade. <ul> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p378.tar.gz">ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p378.tar.gz</a></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p378.tar.bz2">ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p378.tar.bz2</a></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p378.zip">ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p378.zip</a></li> </ul></li> <li><strong>Update</strong> 1.8.6 pl. 388 was released to fix this issue. 1.8.6 users are encouraged to upgrade. <ul> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p388.tar.gz">ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p388.tar.gz</a></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p388.tar.bz2">ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p388.tar.bz2</a></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p388.zip">ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p388.zip</a></li> </ul></li> </ul></li> <li>For development versions, please update to the most recent revision for each development branch.</li> </ul> <h2>Credit</h2> <p>Credit to Giovanni "evilaliv3" Pellerano, Alessandro "jekil" Tanasi, and Francesco "ascii" Ongaro for discovering this vulnerability.</p> Sun, 10 Jan 2010 09:52:59 GMT https://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/ https://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/ Ruby 1.8.7-p248 released <p>We now have a series of patches to fix various bugs against 1.8.7 so I (Urabe Shyouhei) decided to release them. Here they are.</p> <ul> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p248.tar.gz">ruby-1.8.7-p248.tar.gz</a></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p248.tar.bz2">ruby-1.8.7-p248.tar.bz2</a></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p248.zip">ruby-1.8.7-p248.zip</a></li> </ul> <p>And excuse me for absence of a detailed release note... Please read the <a href="https://svn.ruby-lang.org/cgi-bin/viewvc.cgi/tags/v1_8_7_248/ChangeLog">ChangeLog</a> instead.</p> <p>Checksums:</p> <pre><code>MD5(ruby-1.8.7-p248.tar.gz)= 60a65374689ac8b90be54ca9c61c48e3 SHA256(ruby-1.8.7-p248.tar.gz)= 5c9cd617a2ec6b40abd7c7bdfce3256888134482b22f933a061ae18fb4b48755 SIZE(ruby-1.8.7-p248.tar.gz)= 4831010 MD5(ruby-1.8.7-p248.tar.bz2)= 37e19d46b7d4b845f57d3389084b94a6 SHA256(ruby-1.8.7-p248.tar.bz2)= 3d238c4cf0988797d33169ab05829f1a483194e7cacae4232f3a0e2cc01b6bfc SIZE(ruby-1.8.7-p248.tar.bz2)= 4153123 MD5(ruby-1.8.7-p248.zip)= 819b9db9bcd4aa9a70f1193380a318c9 SHA256(ruby-1.8.7-p248.zip)= c133ecf35d5509e61443db05c9691bea6c6f63b87600a452b742014767bd98b3 SIZE(ruby-1.8.7-p248.zip)= 5889980 </code></pre> Fri, 25 Dec 2009 10:19:52 GMT https://www.ruby-lang.org/en/news/2009/12/25/ruby-1-8-7-p248-released/ https://www.ruby-lang.org/en/news/2009/12/25/ruby-1-8-7-p248-released/ Ruby 1.9.1-p376 is released <p>Ruby 1.9.1-p376 just has been released. This is a patch level release of Ruby 1.9.1 and includes the fix of CVE-2009-4124.</p><h4><a name="label-0" id="label-0">CVE-2009-4124</a></h4><p>The previous release, Ruby 1.9.1-p243 has a <a href="https://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/">security vulnerability that allows heap overflow</a>. This vulnerability was found by Emmanouel Kellinis, KPMG London.</p><p>I recommend all Ruby 1.9.1 users to upgrade to p376. But the vulnerability does not affect Ruby 1.8 series.</p> <h4><a name="label-0" id="label-0">Other fixes</a></h4><p>In addition, 1.9.1-p376 includes > 100 bug fixes.</p><ul> <li>Irb extension commands had been broken. It was fixed.</li> <li>Ripper had not been able to parse some Ruby codes. It was fixed.</li> <li>Fixed build failures on AIX.</li> <li>Some bug fixes of Matrix.</li> <li>Can load gems which is installed in an user's home directory.</li> <li>Some method became returning a string with a correct encoding.</li> </ul><p>See the ChangeLog for more detail.</p><ul> <li><a href="https://svn.ruby-lang.org/repos/ruby/branches/ruby_1_9_1/ChangeLog"><URL:https://svn.ruby-lang.org/repos/ruby/branches/ruby_1_9_1/ChangeLog></a></li> </ul><h4><a name="label-1" id="label-1">Location</a></h4><ul> <li><a href="https://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.tar.bz2"><URL:https://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.tar.bz2></a> <dl> <dt><a name="label-2" id="label-2">SIZE:</a></dt> <dd> 7293106 bytes </dd> <dt><a name="label-3" id="label-3">MD5:</a></dt> <dd> e019ae9c643c5efe91be49e29781fb94 </dd> <dt><a name="label-4" id="label-4">SHA256:</a></dt> <dd> 79164e647e23bb7c705195e0075ce6020c30dd5ec4f8c8a12a100fe0eb0d6783 </dd> </dl></li> <li><a href="https://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.tar.gz"><URL:https://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.tar.gz></a> <dl> <dt><a name="label-5" id="label-5">SIZE:</a></dt> <dd> 9073007 bytes </dd> <dt><a name="label-6" id="label-6">MD5:</a></dt> <dd> ebb20550a11e7f1a2fbd6fdec2a3e0a3 </dd> <dt><a name="label-7" id="label-7">SHA256:</a></dt> <dd> 58b8fc1645283fcf3d5be195dffcaf55b7c85cbc210074273b57b835409b21ca </dd> </dl></li> <li><a href="https://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.zip"><URL:https://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.zip></a> <dl> <dt><a name="label-8" id="label-8">SIZE:</a></dt> <dd> 10337871 bytes </dd> <dt><a name="label-9" id="label-9">MD5:</a></dt> <dd> d4d5e62f65cb92a281f1569a7f25371b </dd> <dt><a name="label-10" id="label-10">SHA256:</a></dt> <dd> 486d3efdab269040ce7142964ba3a4e0d46f0a5b812136bcac7e5bafc726c14e </dd> </dl></li> </ul> Mon, 07 Dec 2009 05:06:59 GMT https://www.ruby-lang.org/en/news/2009/12/07/ruby-1-9-1-p376-is-released/ https://www.ruby-lang.org/en/news/2009/12/07/ruby-1-9-1-p376-is-released/ Heap overflow in String <p>There is a heap overflow vulnerability in <code>String#ljust</code>, <code>String#center</code> and <code>String#rjust</code>. This has allowed an attacker to run arbitrary code in some rare cases.</p><ul> <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4124">CVE-2009-4124</a></li> </ul><h2><a name="label-0" id="label-0">Vulnerable versions</a></h2><ul> <li>All releases of Ruby 1.9.1.</li> </ul><p>This vulnerability does not affect Ruby 1.8 series.</p> <h2><a name="label-0" id="label-0">Solution</a></h2><p>Please upgrade to Ruby 1.9.1-p376.</p><ul> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.tar.bz2"><URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p376.tar.bz2></a></li> </ul><h2><a name="label-1" id="label-1">Credit</a></h2><p>Credit to Emmanouel Kellinis, KPMG London for disclosing the problem to Ruby Security team.</p><h2><a name="label-2" id="label-2">Changes</a></h2><ul> <li>2009-12-07 14:52 +0900 add link to CVE (but not opened yet when writing this page)</li> </ul> Mon, 07 Dec 2009 04:59:08 GMT https://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/ https://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/ MountainWest RubyConf 2010 <p>MountainWest RubyConf 2010 will be held March 11 and 12, 2010, in Salt Lake City, UT, <span class="caps">USA</span>.</p> <p><a href="https://mtnwestrubyconf.org">https://mtnwestrubyconf.org</a></p> <p>Talk proposals are being accepted right this very minute!</p> <p>Submit yours <a href="https://spreadsheets.google.com/viewform?formkey=dERsdEVIc0FTSlBtanVxTWFNamdHcmc6MA">here.</a></p> <p>But don’t delay! The submission deadline is midnight (MST) on December 31st, 2009.</p> Thu, 03 Dec 2009 20:22:53 GMT https://www.ruby-lang.org/en/news/2009/12/03/mountainwest-rubyconf-2010/ https://www.ruby-lang.org/en/news/2009/12/03/mountainwest-rubyconf-2010/ RubyWorld Conference <p><a href="https://www.rubyworld-conf.org/en/">The RubyWorld Conference</a> will be held at the Shimane Prefectural Convention Center “Kunibiki Messe”, Shimane Prefecture, during September 7th – 8th , 2009.</p><p><a href="https://www.rubyworld-conf.org/en/program/">The talks at the International Conference Hall</a> will be live broadcasted at <a href="https://www.rubyworld-conf.org/en/">the official web site</a>.</p><p>Stay tuned!</p> Fri, 04 Sep 2009 11:00:23 GMT https://www.ruby-lang.org/en/news/2009/09/04/rubyworld-conference/ https://www.ruby-lang.org/en/news/2009/09/04/rubyworld-conference/ Call for Proposals for RubyConf 2009 <p>The Call for Proposals for presenting at RubyConf 2009 is now open.</p> <p>The deadline for proposals is August 21, 2009.</p> <p>You need to sign up for an account at <a href="https://www.rubyconf.org">rubyconf.org</a>, and then you can submit your proposal.</p> <p>RubyConf 2009 will take place November 19-21 2009, at the Embassy Suites Hotel at the San Francisco Airport, California, <span class="caps">USA</span>.</p> Mon, 03 Aug 2009 02:31:21 GMT https://www.ruby-lang.org/en/news/2009/08/03/call-for-proposals-for-rubyconf-2009/ https://www.ruby-lang.org/en/news/2009/08/03/call-for-proposals-for-rubyconf-2009/ Ruby 1.9.2 preview 1 released <p>Ruby 1.9.2 preview 1 has been released.</p><p>This is a preview for the 1.9.2 series. It is just a snapshot. It still have some known bugs, is sometimes unstable. Let us know your view on it.</p><ul> <li>Socket API was more objectified.</li> <li>Time was reimplemented and enhanced. Now Time has no max/min value, no year 2038 problem.</li> <li>New Random class for random number sequence.</li> <li>Good news for merb users: Method#parameters</li> </ul><p>see the <a href="https://svn.ruby-lang.org/repos/ruby/trunk/NEWS ">NEWS</a> and the <a href="https://svn.ruby-lang.org/repos/ruby/trunk/ChangeLog ">ChangeLog</a> for more detail. </p><h4><a name="label-0" id="label-0">Location</a></h4><ul> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-preview1.tar.bz2"><URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-preview1.tar.bz2></a> <dl> <dt><a name="label-1" id="label-1">SIZE</a></dt> <dd> 7487008 bytes </dd> <dt><a name="label-2" id="label-2">MD5</a></dt> <dd> 0b8f27ea78afcdc54d5d23e569aa0150 </dd> <dt><a name="label-3" id="label-3">SHA256</a></dt> <dd> 0681204e52207153250da80b3cc46812f94107807458a7d64b17554b6df71120 </dd> </dl></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-preview1.tar.gz"><URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-preview1.tar.gz></a> <dl> <dt><a name="label-4" id="label-4">SIZE</a></dt> <dd> 9422226 bytes </dd> <dt><a name="label-5" id="label-5">MD5</a></dt> <dd> e2b8cdbf300f53472be09699a5837fd1 </dd> <dt><a name="label-6" id="label-6">SHA256</a></dt> <dd> 7f29ab3b1d5f0074bb82a6bf398f1cacd42fe508a17fc14844560c4d906786b6 </dd> </dl></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-preview1.zip"><URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-preview1.zip></a> <dl> <dt><a name="label-7" id="label-7">SIZE</a></dt> <dd> 10741739 bytes </dd> <dt><a name="label-8" id="label-8">MD5</a></dt> <dd> 253b5845e4b0f8250ae79c328b94e049 </dd> <dt><a name="label-9" id="label-9">SHA256</a></dt> <dd> cb132277476856535ee31e85929a3041877b0912868b7f64d1cf911a79463cdf </dd> </dl></li> </ul> Mon, 20 Jul 2009 04:12:04 GMT https://www.ruby-lang.org/en/news/2009/07/20/ruby-1-9-2-preview-1-released/ https://www.ruby-lang.org/en/news/2009/07/20/ruby-1-9-2-preview-1-released/ Ruby 1.9.1-p243 released <p>Ruby 1.9.1-p243 has been released.</p><p>This is a patch level release in the 1.9.1 series. It includes bug fixes.</p><p>see the <a href="https://svn.ruby-lang.org/repos/ruby/branches/ruby_1_9_1/ChangeLog">ChangeLog</a> for more details.</p><h4><a name="label-0" id="label-0">Location</a></h4><ul> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p243.tar.bz2"><URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p243.tar.bz2></a> <dl> <dt><a name="label-1" id="label-1">SIZE</a></dt> <dd> 7191348 bytes </dd> <dt><a name="label-2" id="label-2">MD5</a></dt> <dd> 66d4f8403d13623051091347764881a0 </dd> <dt><a name="label-3" id="label-3">SHA256</a></dt> <dd> 39c9850841c0dd5d368f96b854f97c19b21eb28a02200f8b4e151f608092e687 </dd> </dl></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p243.tar.gz"><URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p243.tar.gz></a> <dl> <dt><a name="label-4" id="label-4">SIZE</a></dt> <dd> 9043825 bytes </dd> <dt><a name="label-5" id="label-5">MD5</a></dt> <dd> 515bfd965814e718c0943abf3dde5494 </dd> <dt><a name="label-6" id="label-6">SHA256</a></dt> <dd> 31598e37b3962643bec722921644957be6f8fb9a26f6c91fa627bd668ea68be4 </dd> </dl></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p243.zip"><URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p243.zip></a> <dl> <dt><a name="label-7" id="label-7">SIZE</a></dt> <dd> 10307868 bytes </dd> <dt><a name="label-8" id="label-8">MD5</a></dt> <dd> 7086675f78185d72719132231b810e4d </dd> <dt><a name="label-9" id="label-9">SHA256</a></dt> <dd> 68a9847299269c5251dc61f7aad8482ab6022a6b1be13635d607fb593208b226 </dd> </dl></li> </ul> Mon, 20 Jul 2009 04:07:26 GMT https://www.ruby-lang.org/en/news/2009/07/20/ruby-1-9-1-p243-released/ https://www.ruby-lang.org/en/news/2009/07/20/ruby-1-9-1-p243-released/ DoS vulnerability in BigDecimal <p>A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.</p> <p>ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.</p> <h1>Impact</h1> <p>An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:</p> <pre> BigDecimal("9E69999999").to_s("F") </pre> <h1>Vulnerable versions</h1> <h2>1.8 series</h2> <ul> <li>1.8.6-p368 and all prior versions</li> <li>1.8.7-p160 and all prior versions</li> </ul> <h2>1.9 series</h2> <ul> <li>All 1.9.1 versions are not affected by this issue</li> </ul> <h1>Solution</h1> <h2>1.8 series</h2> <p>Please upgrade to 1.8.6-p369 or ruby-1.8.7-p174.</p> <ul> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p369.tar.gz">ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p369.tar.gz</a></li> <li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.tar.gz">ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.tar.gz</a></li> </ul> <h1>Updates</h1> <ul> <li>Ruby 1.8.7-p173 had a problem. If you have already downloaded it, please get a newer one. Ruby 1.8.6-p369 do not have this bug.</li> </ul> Tue, 09 Jun 2009 23:56:01 GMT https://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ https://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/

Original Source | Taken Source