Archive: posts from June 2009

Passenger 2.2.4 packages for Ubuntu 29 Jun 09

Passenger 2.2.4 was released last week and we now have Ubuntu Hardy packages available in our repository.

Passenger 2.2.4 actually is just a small bug fix release for a memory leak in 2.2.3, but obviously brings all the benefits of 2.2.3 too.  A huge number of bugs have been fixed, particularly the “Broken Pipe” errors some sites under heavy loads were experiencing.

As usual, details on installing the packages from our repository are available on our wiki.

If you’re using Passenger and it’s making you happy, please do consider supporting its development by donating money in the form of an “Enterprise License” direct from Phusion, the company behind it.

New: 4GB Brightbox PLUS increased CPU on 1GB and above! 19 Jun 09

A few days ago we added a new 4GB Brightbox product to our virtual machine range. Several customers have had 4GB boxes for a while now (on special request :) – but they’re now available for anyone. The 4GB Brightbox comes with burstable dual CPU, 50GB SAN storage, 25 MySQL cluster connections and 1.6TB/month data transfer!

We’ve also changed the CPU allocation for Brightbox 1GB and 2GB products so that they now also benefit from being able to burst to 2 CPU cores – effectively doubling CPU for both products!

Previously, the Brightbox 2GB product had a single “dedicated” core but having spent some time reviewing usage stats it was clear that CPU is considerably under utilised across all of our host machines so we could be confident that no existing customers would actually lose out by this change. If you currently have a 1GB or 2GB Brightbox and want to upgrade to the new CPU allocations, raise a support ticket and we’ll arrange the config change and reboot.

Ruby BigDecimal denial of service 10 Jun 09

From ruby-lang.org:

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.

We’re currently  building new Ruby packages for Brightbox customers with the relevant patches to fix this vulnerability. We’ll keep this post updated with the latest news.

UPDATE, 15:46 BST: New Ruby EE packages are now available in our Ruby Enterprise Ubuntu repository. We’re working on updates for the standard Ubuntu version of Ruby.

You can confirm that the update fixes the bug with the following command:

ruby -e 'require "bigdecimal";BigDecimal("E99999999").to_s("F");puts "OK"'

If your version of Ruby is vulnerable, you’ll get a “Segmentation fault” error message, otherwise it prints “OK”.

UPDATE: Official Ubuntu packages to fix this vulnerability are now available.  The Hardy package is libruby1.8 version 1.8.6.111-2ubuntu1.3 and the Dapper package is libruby1.8 version 1.8.4-1ubuntu1.7.  The packages will be available for install after a normal apt-get update.