Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple Security Holes In Ruby 1.8, 1.9

Posted by kdawson on from the that-ain't-good dept.

ruphus13 notes a six-pack of serious vulnerabilities discovered in Ruby by a member of Apple's security team, Drew Yao. Patches are linked from the ruby-lang.org advisory. "With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code... These vulnerabilities are likely to crop up in just about any average ruby web application. And by 'crop up' I mean 'crop up exploitable from trivial user-specified parameters.' It's not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input."

12 of 148 comments (clear)

  1. Re:The real story by mccalli · · Score: 4, Insightful

    The real story here is how quickly the bugs were patched. I'd like to see MS respond half as fast to holes in Windows and it's attendant parts and pieces.

    No. The real story here are the security bugs, precisely as described. This isn't cheerleading - to users of Ruby it really doesn't matter how fast some other imagined patch might have come out from another company for a different product. If I'm running Ruby, I need to know that these bugs exist and that patches can be applied for them.

    Drop the us vs them thinking - it doesn't help is pretty much just FUD.

    Cheers,
    Ian

  2. Re:The real story by Anonymous Coward · · Score: 5, Funny

    sooo... open source failed? that's what it sounds like you're saying. beware of pitchfork carrying moderators ;)

  3. Re:Confirmation by larry+bagina · · Score: 4, Interesting

    "Enterprise" means you don't blindly install updates on day 0.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  4. Re:message to staff at Apple HQ by LunarCrisis · · Score: 5, Insightful

    The bugs would have been there even if Apple hadn't found them. Why not thank them for improving the quality of Ruby?

    --
    Mr. Period: Nine is the one that's right by ten!
    Nine: One day I will kill him. Then, I will be Ten.
  5. Re:The real story by CrazedWalrus · · Score: 5, Insightful

    How did open source fail? Someone who wasn't the original author had access to the code and found the bugs. How quickly it's found is a function of how many qualified people are looking at the code. I didn't RTFA, but presumably Drew Yao, a member of the security team, was security auditing the code. This activity would have been much harder to impossible with closed source code.

    I'd say the system worked as advertised here.

  6. Re:The real story by headLITE · · Score: 4, Insightful

    A vulnerability in an open source project was found by a third party doing a security audit of the code. The possibility to validate the source code is exactly what open source proponents claim is the reason for open source being more secure. Everybody can have a go, a thousand pairs of eyes see more than one pair, and all that. Try auditing Visual Basic 6 for comparison.

  7. good news by corbettw · · Score: 4, Funny

    Now it's time to start calling up all those RoR sites and use this to convince them to switch the Django.

    --
    God invented whiskey so the Irish would not rule the world.
  8. Re:Confirmation by /ASCII · · Score: 5, Funny

    No, "Enterprise ready" means they didn't have to deal with that shit on Star Trek.

    --
    Try out fish, the friendly interactive shell.
  9. Re:The real story by Anonymous Coward · · Score: 5, Insightful

    How did open source fail? Someone who wasn't the original author had access to the code and found the bugs. How quickly it's found is a function of how many qualified people are looking at the code. I'd say the system worked as advertised here.
    Slight correction -- it's a function of how many qualified and honest people are looking at the code. Now, the skilled but dishonest Russian hacking cartels had a financial incentive to look through the code for security problems; comparatively few security researchers had financial incentives to do so. Are you really sure this is the first time this bug has been discovered? Or just the first time by nice cooperative people who don't exploit it and keep it secret?
  10. Someone had to say... by Hognoxious · · Score: 4, Funny

    Ruby - it's the new PHP.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  11. Funny how open source always wins... by Anonymous Coward · · Score: 5, Insightful

    Case 1: the code has no bugs: "many eyes make for shallow bugs!" everyone chants.

    Case 2: the code has bugs which get reported and fixed. "See, this would have taken much longer if the source was closed!" This claim is impossible to verify objectively but is stated as a fact, regardless of how trivial the bugs are.

  12. Re:message to staff at Apple HQ by UnknowingFool · · Score: 4, Insightful

    Apple finds serious bugs in Ruby. They tell the Ruby developers. Ruby developers issue patches. That's not sensational.

    MS finds a bug in Safari. They tell everyone not to use Safari. I see slight differences. :P

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.