From owner-freebsd-ruby@FreeBSD.ORG  Mon Jan  7 02:12:43 2013
Return-Path: <owner-freebsd-ruby@FreeBSD.ORG>
Delivered-To: ruby@FreeBSD.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 9A1CE6E4;
 Mon,  7 Jan 2013 02:12:43 +0000 (UTC)
 (envelope-from swills@FreeBSD.org)
Received: from mouf.net (mouf.net [IPv6:2607:fc50:0:4400:216:3eff:fe69:33b3])
 by mx1.freebsd.org (Postfix) with ESMTP id 515C5249;
 Mon,  7 Jan 2013 02:12:43 +0000 (UTC)
Received: from meatwad.mouf.net (cpe-024-162-230-236.nc.res.rr.com
 [24.162.230.236]) (authenticated bits=0)
 by mouf.net (8.14.5/8.14.5) with ESMTP id r072CUZ3054201
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT);
 Sun, 6 Jan 2013 21:12:35 -0500 (EST)
 (envelope-from swills@FreeBSD.org)
Message-ID: <50EA2F0E.1050006@FreeBSD.org>
Date: Mon, 07 Jan 2013 02:12:30 +0000
From: Steve Wills <swills@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Olli Hauer <ohauer@FreeBSD.org>
Subject: Re: ruby and CVE-2012-5664
References: <50E89410.7040900@FreeBSD.org>
In-Reply-To: <50E89410.7040900@FreeBSD.org>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
 (mouf.net [199.48.129.64]); Sun, 06 Jan 2013 21:12:36 -0500 (EST)
X-Spam-Status: No, score=0.0 required=4.5 tests=none autolearn=unavailable
 version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mouf.net
X-Virus-Scanned: clamav-milter 0.97.6 at mouf.net
X-Virus-Status: Clean
Cc: ruby@FreeBSD.org
X-BeenThere: freebsd-ruby@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: FreeBSD-specific Ruby discussions <freebsd-ruby.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ruby>,
 <mailto:freebsd-ruby-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ruby>
List-Post: <mailto:freebsd-ruby@freebsd.org>
List-Help: <mailto:freebsd-ruby-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ruby>,
 <mailto:freebsd-ruby-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2013 02:12:43 -0000

On 01/05/13 20:58, Olli Hauer wrote:
> It seems there are new releases for ruby because an security issue CVE-2012-5664
> 
> Also it seems some ports may be affected, a quick search for CVE-2012-5664 shows also new releases for puppet (enterprise) and others.
> 
> https://groups.google.com/group/rubyonrails-security/browse_thread/thread/c2353369fea8c53
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5664
> http://www.securityfocus.com/bid/57084
> 
> I'm not using ruby at all, so I can only suspect there will be also other ports in the tree affected.
> 

The issue is in Ruby On Rails, not Ruby itself. There's an update to
Ruby 1.9, but it's not a security issue. I'll see what I can do about
the Rails update first, then the rest later.

Steve