Dr. Dobb's | Security Flaws Discovered, Patched in Ruby 1.8 and 1.9 | June 23, 2008


		FREE Subscription to Dr. Dobb’s Digest: Same Great Content, New Digital Edition	Site Archive (Complete)

	ABOUT US \| CONTACT \| ADVERTISE \| SUBSCRIBE \| SOURCE CODE \| NEWSLETTERS \| RESOURCES \| BLOGS \| PODCASTS \| GO PARALLEL

Security


	Email	Print Reprint
	add to:
	Del.icio.us Digg Google Furl	Slashdot Y! MyWeb Blink

June 23, 2008

Security Flaws Discovered, Patched in Ruby 1.8 and 1.9

Patches have been issued for bugs in several of Ruby's array- and string-related functions.

Late last week, Drew Yao of Apple Product Security apparently discovered several vulnerabilities in multiple versions of Ruby that could allow attackers to execute arbitrary code or create a denial of service condition.

The vulnerabilities stemmed from unchecked overflow conditions in several array-handling routines, and from an unsafe memory allocation in Ruby's string processing. The Ruby maintainers have since released patches for these vulnerabilities. Vulnerable versions include:

1.8.4 and all prior versions
1.8.5-p230 and all prior versions
1.8.6-p229 and all prior versions
1.8.7-p21 and all prior versions
1.9.0-1 and all prior versions

Patches are available here:
http://www.ruby-lang.org/en/news /2008/06/20/arbitrary-code-execution-vulnerabilities/


RELATED ARTICLES Welcome To the World of Cryptographic Voting Jetbrains Updates Ruby IDE Klocwork Targets Productivity With Dev Tool Suite Fuzzing Security Testing Tool Released Data Aggregation and Bayes Classifiers		TOP 5 ARTICLES No Top Articles.

MICROSITES FEATURED TOPIC ADDITIONAL TOPICS	INFO-LINK
DEVELOPER WHITEPAPERS VeriSign Code Signing Digital Certificates for Adobe AIR Overcoming Mobile Fragmentation: Building Applications for Multiple Operating Systems Intel® SOA Expressway Service Mediation & Governance Performance Comparison to IBM® DataPower XI50 View More Whitepapers

DEPARTMENTS

Architecture & Design

Development Tools

Embedded Systems

High Performance Computing

Web Development

Parallel & Multi-core

| All Feeds

© 2009 TechWeb, Privacy Policy, Terms of Service, United Business Media LLC
Comments about the web site: webmaster@ddj.com

TechWeb

The Global Leader In Technology Media

InformationWeek Business Technology Network

Advanced Trading

Bank Systems & Technology

Bank Systems & Technology Executive Summit

InformationWeek

InformationWeek 500

InformationWeek 500 Conference

InformationWeek Analytics

InformationWeek Events

InformationWeek Financial Services

InformationWeek Global CIO

InformationWeek Government

InformationWeek Healthcare

InformationWeek India

InformationWeek Magazine

Insurance & Technology

Insurance & Technology Executive Summit

Intelligent Enterprise

Internet Evolution

Network Computing

Plug into the Cloud

Wall Street & Technology

Light Reading
Communications Network

Light Reading Asia

Light Reading Insider

Light Reading Live!

Light Reading's Digital Cable News

Light Reading's Ethernet Expo

Pyramid Research

Tower Technology Summit

TechWeb
Events Network

Most Popular

Bob Evan's Global CIO

David Berlind's Tech Radar

Enterprise 2.0 Blog

InformationWeek Analytics

Jon Erickson's Blog

Microsoft/Windows Blog