From owner-freebsd-security@FreeBSD.ORG Sat Jul 29 18:09:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1FAA16A4DA; Sat, 29 Jul 2006 18:09:07 +0000 (UTC) (envelope-from shaun@FreeBSD.org) Received: from dione.picobyte.net (host-212-158-207-124.bulldogdsl.com [212.158.207.124]) by mx1.FreeBSD.org (Postfix) with SMTP id A95DF43D53; Sat, 29 Jul 2006 18:09:06 +0000 (GMT) (envelope-from shaun@FreeBSD.org) Received: from charon.picobyte.net (charon.picobyte.net [IPv6:2001:4bd0:201e::fe03]) by dione.picobyte.net (Postfix) with ESMTP; Sat, 29 Jul 2006 19:09:05 +0100 (BST) Date: Sat, 29 Jul 2006 19:09:05 +0100 From: Shaun Amott To: Remko Lodder Message-ID: <20060729180904.GA90113@picobyte.net> References: <200607280503.k6S53hmW007056@app.auscert.org.au> <20060729163453.GA89895@picobyte.net> <44CB99E4.2080708@FreeBSD.org> <44CBA0C8.3080605@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <44CBA0C8.3080605@FreeBSD.org> User-Agent: Mutt/1.5.11 (FreeBSD i386) X-Mailman-Approved-At: Sat, 29 Jul 2006 19:31:59 +0000 Cc: Joel Hatton , ports@freebsd.org, freebsd-security@freebsd.org, Sergey Matveychuk Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2006 18:09:07 -0000 On Sat, Jul 29, 2006 at 07:54:16PM +0200, Remko Lodder wrote: > > Sergey Matveychuk wrote: > >Shaun Amott wrote: > >>On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: > >>>FYI, Red Hat released an advisory today about a vulnerability in Ruby. So > >>>far it doesn't appear in the VuXML, but am I correct in presuming it will > >>>soon? > >>> > >>I've added it; thanks for the report. > >> > > > >Can we get patches somewhere? I can't find any. > > > > It is said that the patches are available through the CVSweb > but all the information I could fine was in japanese, which is > a bit difficult to read for me (read: i do not speak nor read > japanese at all). The CVE report seemed to imply that there was a fix in 1.8.5, which I assumed had therefore been released. But it seems this isn't the case. The Ruby folks say they don't publish advisories until there is a fix ready; and there is no mention of this vulnerability on the website. -- Shaun Amott [ PGP: 0x6B387A9A ] Scientia Est Potentia.