From owner-freebsd-security@FreeBSD.ORG  Sun Jul 30 03:13:25 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0148816A4E6
	for <freebsd-security@freebsd.org>;
	Sun, 30 Jul 2006 03:13:25 +0000 (UTC)
	(envelope-from ueda@netforest.ad.jp)
Received: from kiku.netforest.co.jp (kiku.netforest.co.jp [218.45.16.40])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6C9DF43D4C
	for <freebsd-security@freebsd.org>;
	Sun, 30 Jul 2006 03:13:22 +0000 (GMT)
	(envelope-from ueda@netforest.ad.jp)
Received: (qmail 31315 invoked from network); 30 Jul 2006 12:13:21 +0900
Received: from 218-45-20-121.flets.kamome.or.jp (HELO [192.168.0.192])
	(SubmissionBy:ueda@[218.45.20.121])
	(envelope-sender <ueda@netforest.ad.jp>)
	by kiku.netforest.co.jp (qmail-ldap-1.03) with RC4-MD5 encrypted SMTP
	for <sem@FreeBSD.org>; 30 Jul 2006 12:13:20 +0900
Date: Sun, 30 Jul 2006 12:13:22 +0900
From: =?ISO-2022-JP?B?GyRCPyJFRBsoQiAbJEJNNUc3GyhC?= <ueda@netforest.ad.jp>
To: Sergey Matveychuk <sem@FreeBSD.org>
In-Reply-To: <44CBBBDC.70409@FreeBSD.org>
References: <20060729180904.GA90113@picobyte.net> <44CBBBDC.70409@FreeBSD.org>
Message-Id: <20060730114238.F96A.UEDA@netforest.ad.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.25.01 [ja]
X-Mailman-Approved-At: Sun, 30 Jul 2006 05:30:29 +0000
Cc: Joel Hatton <freebsd@auscert.org.au>, ports@freebsd.org,
	Remko Lodder <remko@FreeBSD.org>, freebsd-security@freebsd.org,
	Shaun Amott <shaun@FreeBSD.org>
Subject: Re: Ruby vulnerability?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jul 2006 03:13:25 -0000

Dear Sirs,


> CVE report is very unpleasant: "Multiple unspecified vulnerabilities".
> Secunia has more professional report.
> 
> RedHat is only vendor who released updates, but they are binary. So,
> there is no known fix now.

Following information maybe help you:

	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029

But matz(ruby creator) has not mentioned about this yet. And he has said
that he has no will to release patch for the vulnerabilites.

	http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-list/42575

The message is in Japanese and the content is as follows.

	At present, a patch for these vulnerabilites is not ready
	because the problems occur only with $SAFE=4. So the
	vulnerabilities will be serious only when alll the following
	conditions are satisfied.

		* You use $SAFE=4 sandbox
		* You run untrusted codes


> I hope ruby team will release 1.8.5 ASAP.

On 18th July, ruby 1.8.5 preview2 was released and release date of 1.8.5
will be near middle of August if they works on schedule.


Best regards.

-----
UEDA Hiroyuki <ueda@netforest.ad.jp>