Posted by Nathan Kaiser on Wed Jun 10 09:52:00 UTC 2009
Yesterday, both the Rails core team and the Ruby team announce a vulnerability in the Big Decimal libraries of Ruby. This vulnerability does not allow for remote access to your data, however it can allow an attacker to create a Denial of Service attack on your application, essentially rendering it down. To quote the Ruby Team…
ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.
We’ve promptly patched our Ruby RPMs and posted information on how to update in our System Status blog. For users on Debian or Ubuntu, updates should be hitting their repos over the next few days. If you can’t upgrade, we recommend you implement the work arounds provided by the Rails core team. Information on those can be found here:
http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby
Our patching instructions for our RPM versions are available here:
http://www.blueboxgrp.com/system_status/2009/06/ruby_security_bug
We strongly recommend for all of our customers to follow those instructions as soon as possible. For assistance, please don’t hesitate to contact us.
Thanks!
- Jesse Proudman
Blue Box Group
The Latest
Archives
- February 2012
- January 2012
- December 2011
- August 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- March 2010
- February 2010
- January 2010
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- January 2008
- December 2007
- October 2007
- August 2007
