From owner-freebsd-ports@FreeBSD.ORG Sat Jul 29 19:50:22 2006 Return-Path: X-Original-To: ports@freebsd.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4155116A4DE; Sat, 29 Jul 2006 19:50:22 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from mail.ciam.ru (ns.ciam.ru [213.247.195.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD35F43D5D; Sat, 29 Jul 2006 19:50:21 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from [87.240.16.199] (helo=[192.168.0.4]) by mail.ciam.ru with esmtpa (Exim 4.x) id 1G6upH-0003f7-Hs; Sat, 29 Jul 2006 23:50:19 +0400 Message-ID: <44CBBBDC.70409@FreeBSD.org> Date: Sat, 29 Jul 2006 23:49:48 +0400 From: Sergey Matveychuk User-Agent: Thunderbird 1.5.0.2 (X11/20060429) MIME-Version: 1.0 To: Shaun Amott References: <200607280503.k6S53hmW007056@app.auscert.org.au> <20060729163453.GA89895@picobyte.net> <44CB99E4.2080708@FreeBSD.org> <44CBA0C8.3080605@FreeBSD.org> <20060729180904.GA90113@picobyte.net> In-Reply-To: <20060729180904.GA90113@picobyte.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Joel Hatton , ports@freebsd.org, Remko Lodder , freebsd-security@freebsd.org Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2006 19:50:22 -0000 Shaun Amott wrote: > On Sat, Jul 29, 2006 at 07:54:16PM +0200, Remko Lodder wrote: >> Sergey Matveychuk wrote: >>> Shaun Amott wrote: >>>> On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: >>>>> FYI, Red Hat released an advisory today about a vulnerability in Ruby. So >>>>> far it doesn't appear in the VuXML, but am I correct in presuming it will >>>>> soon? >>>>> >>>> I've added it; thanks for the report. >>>> >>> Can we get patches somewhere? I can't find any. >>> >> It is said that the patches are available through the CVSweb >> but all the information I could fine was in japanese, which is >> a bit difficult to read for me (read: i do not speak nor read >> japanese at all). > > The CVE report seemed to imply that there was a fix in 1.8.5, which I > assumed had therefore been released. But it seems this isn't the case. > > The Ruby folks say they don't publish advisories until there is a fix > ready; and there is no mention of this vulnerability on the website. > CVE report is very unpleasant: "Multiple unspecified vulnerabilities". Secunia has more professional report. RedHat is only vendor who released updates, but they are binary. So, there is no known fix now. I hope ruby team will release 1.8.5 ASAP. -- Dixi. Sem.