Date: Sat, 29 Jul 2006 23:49:48 +0400 From: Sergey Matveychuk <sem@FreeBSD.org> To: Shaun Amott <shaun@FreeBSD.org> Cc: Joel Hatton <freebsd@auscert.org.au>, ports@freebsd.org, Remko Lodder <remko@FreeBSD.org>, freebsd-security@freebsd.org Subject: Re: Ruby vulnerability? Message-ID: <44CBBBDC.70409@FreeBSD.org> In-Reply-To: <20060729180904.GA90113@picobyte.net> References: <200607280503.k6S53hmW007056@app.auscert.org.au> <20060729163453.GA89895@picobyte.net> <44CB99E4.2080708@FreeBSD.org> <44CBA0C8.3080605@FreeBSD.org> <20060729180904.GA90113@picobyte.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Shaun Amott wrote: > On Sat, Jul 29, 2006 at 07:54:16PM +0200, Remko Lodder wrote: >> Sergey Matveychuk wrote: >>> Shaun Amott wrote: >>>> On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: >>>>> FYI, Red Hat released an advisory today about a vulnerability in Ruby. So >>>>> far it doesn't appear in the VuXML, but am I correct in presuming it will >>>>> soon? >>>>> >>>> I've added it; thanks for the report. >>>> >>> Can we get patches somewhere? I can't find any. >>> >> It is said that the patches are available through the CVSweb >> but all the information I could fine was in japanese, which is >> a bit difficult to read for me (read: i do not speak nor read >> japanese at all). > > The CVE report seemed to imply that there was a fix in 1.8.5, which I > assumed had therefore been released. But it seems this isn't the case. > > The Ruby folks say they don't publish advisories until there is a fix > ready; and there is no mention of this vulnerability on the website. > CVE report is very unpleasant: "Multiple unspecified vulnerabilities". Secunia has more professional report. RedHat is only vendor who released updates, but they are binary. So, there is no known fix now. I hope ruby team will release 1.8.5 ASAP. -- Dixi. Sem.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44CBBBDC.70409>