News

=========================================================== Ubuntu Security Notice USN-195-1 October 10, 2005 ruby1.8 vulnerability CAN-2005-2337 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: ruby1.8 The problem can be corrected by upgrading the affected package to version 1.8.1+1.8.2pre2-3ubuntu0.3 (for Ubuntu 4.10), or 1.8.1+1.8.2pre4-1ubuntu0.2 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. However, if you have permanently running server applications which are implemented in Ruby and use "safe levels", you need to restart them. Details follow: The object oriented scripting language Ruby supports safely executing untrusted code with two mechanisms: safe level and taint flag on objects. Dr. Yutaka Oiwa discovered a vulnerability that allows Ruby methods to bypass these mechanisms. In systems which use this feature, this could be exploited to execute Ruby code beyond the restrictions specified in each safe level.