Ruby News

Ruby 1.8.6 released!

Mon, 12 Mar 2007 21:52:53 GMT

Ruby 1.8.6 has been released (see the announcement on Ruby-Talk). The source is available in three formats:

md5: e558a0e00ae318d43bf6ff9af452bad2
sha256: 0fc6ad0b31d8ec3997db2a56a2ac1c235283a3607abb876300fc711b3f8e3dd7

ruby-1.8.6.tar.gz (4.4 MB)

md5: 23d2494aa94e7ae1ecbbb8c5e1507683
sha256: 3ef37fb961d04471a1aef2c8079d6fab09932e3281d79859d5cd5d426bde0868

ruby-1.8.6.zip (5.3 MB)

md5: 5f4b82cec8f437634e05a3ce9bb3ca67
sha256: c4b011d66b3f7e3bddbdf61a7404120d5ac80c6b742ad08e7e75b6d14ee56e76

For a brief list of user visible changes and a full list of all changes since 1.8.5, see the bundled files NEWS and ChangeLog.

After this announcement, we will start the development for 1.8.7 as well as maintaining the “ruby_1_8_6” branch on which only critical bugs and security vulnerabilities found in the 1.8.6 release are fixed, and patch releases will follow on appropriate and timely occasions. Please check them out after upgrading Ruby to 1.8.6.

CVS services will be permanently unavailable

Thu, 01 Mar 2007 00:46:32 GMT

CVS services (including CVSup and CVSweb) will be permanently unavailable on Fri Mar 16 03:00 UTC 2007. The source code repositry has been moved to SVN.

If you require the CVS repositry, please get it by CVSup till that day.

IP Address Change

Wed, 21 Feb 2007 10:12:21 GMT

The IP address of the server will be changed on Thu Feb 22 03:00:00 UTC 2007, and WWW/FTP/ML and Anonymous CVS services will be stopped in a few minutes.

Sorry for inconvenience.

MountainWest Speaker List Posted

Fri, 26 Jan 2007 08:25:39 GMT

The list of speakers and topics for MountainWest RubyConf has gone up.

There’s also a nice social site for the conference as well.

MountainWest RubyConf 2007 Registration Now Open

Wed, 24 Jan 2007 23:14:46 GMT

Registration for the upcoming MountainWest RubyConf is open.

This regional Ruby conference will be in Salt Lake City, Utah, USA, on March 16 and 17, 2007.

$50 gets you a seat and a T-shirt. More details are forthcoming, but, trust me, this will be good.

Ruby on Rails Bootcamp in Georgia

Wed, 27 Dec 2006 21:35:10 GMT

Big Nerd Ranch, Inc. is offering their Ruby on Rails Bootcamp classes in a retreat setting outside Atlanta, GA the week of February 12th-16th. For more information you can find the press release at http://bignerdranch.com/news/2006-10-11.shtml.

CVS Repository moved to SVN

Fri, 22 Dec 2006 10:59:26 GMT

We have moved the source code repository to http://svn.ruby-lang.org/repos/ruby/. You can checkout it using the svn command, or you can also browse it by ViewVC.

The new machine for svn.ruby-lang.org is provided by Sun Microsystems. We are using Solaris 10 on the new machine, and it works pretty well.

Ruby on Rails Bootcamp in Germany

Wed, 20 Dec 2006 22:30:36 GMT

Big Nerd Ranch Europe is offering their Ruby on Rails Bootcamp classes in Kloster Eberbach, Germany (near Frankfurt) the week of March 26th-30th. For more information you can find the press release at http://www.bignerdranch.com/news/2006-12-20.shtml.

Another DoS Vulnerability in CGI Library

Mon, 04 Dec 2006 02:00:40 GMT

Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS).

This vulnerability is open to the public as JVN#84798830.

Please note that the previous patch (<URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch>) does not fix this problem.

Impact

A specific HTTP request for any web application using cgi.rb causes CPU consumption on the machine on which the web application is running. Many such requests result in a denial of service.

Vulnerable versions

1.8 series: 1.8.5 and all prior versions
Development version (1.9 series): All versions before 2006-12-04

Solution

1.8 series

Please upgrade to 1.8.5-p2.

<URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz> (4519151 bytes, md5sum: a3517a224716f79b14196adda3e88057)

Please note that a package that corrects this weakness may already be available through your package management software.

Development version (1.9 series)

Please update your Ruby to a version after 2006-12-04.

DoS Vulnerability in CGI Library

Fri, 03 Nov 2006 16:35:33 GMT

A vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and has an invalid boundary specifier that begins with “-” instead of “--”. Once triggered it will exhaust all available memory resources effectively creating a DoS condition.

Ruby 1.8.5 and all prior versions are vulnerable. This vulnerability is open to the public as CVE-2006-5467.

Vulnerable Versions

1.8 series: 1.8.5 and all prior versions
Development version (1.9 series): All versions before 2006-09-23

Solution

1.8 series

Please apply the patch after you update to Ruby 1.8.5:

CGI DoS Patch (367 bytes; md5sum: 9d25f59d1c33a0b215f6c25260dcb536)

Please note that a package that corrects this weakness may already be available through your package management software.

Development version (1.9 series)

Please update your Ruby to a version after September 23, 2006.

References

[SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack