Date: Sun, 30 Jul 2006 12:13:22 +0900 From: =?ISO-2022-JP?B?GyRCPyJFRBsoQiAbJEJNNUc3GyhC?= <ueda@netforest.ad.jp> To: Sergey Matveychuk <sem@FreeBSD.org> Cc: Joel Hatton <freebsd@auscert.org.au>, ports@freebsd.org, Remko Lodder <remko@FreeBSD.org>, freebsd-security@freebsd.org, Shaun Amott <shaun@FreeBSD.org> Subject: Re: Ruby vulnerability? Message-ID: <20060730114238.F96A.UEDA@netforest.ad.jp> In-Reply-To: <44CBBBDC.70409@FreeBSD.org> References: <20060729180904.GA90113@picobyte.net> <44CBBBDC.70409@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear Sirs, > CVE report is very unpleasant: "Multiple unspecified vulnerabilities". > Secunia has more professional report. > > RedHat is only vendor who released updates, but they are binary. So, > there is no known fix now. Following information maybe help you: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029 But matz(ruby creator) has not mentioned about this yet. And he has said that he has no will to release patch for the vulnerabilites. http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-list/42575 The message is in Japanese and the content is as follows. At present, a patch for these vulnerabilites is not ready because the problems occur only with $SAFE=4. So the vulnerabilities will be serious only when alll the following conditions are satisfied. * You use $SAFE=4 sandbox * You run untrusted codes > I hope ruby team will release 1.8.5 ASAP. On 18th July, ruby 1.8.5 preview2 was released and release date of 1.8.5 will be near middle of August if they works on schedule. Best regards. ----- UEDA Hiroyuki <ueda@netforest.ad.jp>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060730114238.F96A.UEDA>