Apple tech discovers Ruby security hole
updated 04:15 pm EDT, Fri June 20, 2008
Apple tech finds Ruby hole
An Apple technician has identified a vulnerability in the Ruby development platform, a security warning explains. Drew Yao of the Apple Product Security team is said to have discovered multiple arbitrary code vulnerabilities, which if exploited could be used to run a denial-of-service attack, or other local means of undermining a system. The vulnerabilities only impact specific versions of Ruby 1.8.4 through 1.8.7, and 1.9.
Ruby 1.8 users can fix the problem by upgrading to 1.8.5-p231, 1.8.6-p230 or 1.8.7-p22, while v1.9 users must switch to 1.9.0-2. These updates also address a WEBrick vulnerability.
Mac OS X Leopard includes Ruby on Rails, a Ruby-based framework meant to speed up web development.
Fresh-Faced Recruit
Joined: Apr 1999
how to fix...
I was running 10.5.2, and I was vulnerable (yeah, I really need to update my lazy a** to 10.5.3...). If you follow the link in the story, you can see which patchlevel of ruby you need to be safe. You can check which patchlevel of ruby you have installed by launching the Terminal.app (in your utilities folder), and typing "ruby --version". Mine was reported as "ruby 1.8.6 (2007-09-24 patchlevel 111)". The article says that for ruby 1.8.6, anything below patchlevel 230 is vulnerable, therefore, I had to download and install ruby 1.8.6 p230 to fix this vulnerability. I'm sure Apple will have an automated fix ready soon, but that's how you close the hole now.