Ruby Security Vulnerabilities 25 Jun 08

Some of you will have noticed the kerfuffle regarding the recent Ruby security vulnerabilities.  Fixed version of Ruby were released over the weekend but they are causing crashes in applications.  Until working fixes are available we’re all a bit stuck.

Details of the bugs have been kept officially secret but people are figuring it out for themselves (thanks to Zed in particular).  This secrecy has just contributed to the fear, uncertainty and doubt surrounding the issues and hasn’t helped the situation at all.

We currently recommend sitting tight until proper fixes are available.  When this happens, distros will release new packages in the usual manner.  Brightboxes are based on the Ubuntu distro and their security team are aware of the problem and are working on it (see the bug status here).

For those of you using the standard Ruby from Dapper (most of you) you should be able to just upgrade  using aptitude as soon as Ubuntu release new packages.  For those of you using the backported Ruby 1.8.6 packages, you’ll need to wait for us to backport the fixes once they’re released.  We’ll obviously be doing this asap.

We’ll update the blog as we know more.

UPDATE: Ubuntu have fixed ruby1.8 packages available now. They have already appeared in the Ubuntu security repository and are available for install.  Preliminary testing of the Dapper packages has been successful (gems with native libraries too).  We’re re-backporting the Hardy 1.8.6 packages right now and they’ll be available soon.

UPDATE: We have the fixed Hardy packages (1.8.6-p111) backported to Dapper available on the Brightbox testing apt repository.  They’ve passed a lot of preliminary tests but have not been tested extensively in production yet.  Please report any problems  with them (segfaults etc.) to support@brightbox.co.uk.