Entity expansion vulnerability in ( bomb)
And some small bugfixes are also included.
You can download this release from:
<URL:ftp://ftp.ruby-lang.org/pub/ ruby/1.9/ruby-1.9.3-p392.tar.bz2> SIZE: 10024221 bytes MD5: a810d64e2255179d2f334eb61fb8519c SHA256: 5a7334dfdf62966879bf539b8a9f0b889df6f3b3824fb52a9303c3c3d3a58391
<URL:ftp://ftp.ruby-lang.org/pub/ ruby/1.9/ruby-1.9.3-p392.tar.gz> …
…language to program systems with disk-operating systems like CP/M or various forms of DOS. Together with graphical user interfaces object-oriented programming languages arrived, and for the web comfortable high-level languages like Java, Ruby or Python with garbage collection appeared. Today we have 4 or 5 layers between the programmer and the CPU: for example for Ruby programs the programs are written in Ruby, Ruby is written in C, C is written in Assembly, and Assembly boils …
…in a was barely 40k . The very concept of a multiplayer virtual world of any kind - something we take for granted today, since every modern website is essentially a multiplayer game now — was incredibly exotic. Look at the painstaking explanation Lucasfilm had to produce to even get folks to understand what the heck Habitat was, and how it worked:was a lot . The entirety of 3.02 for DOS, released a year later in 1986,
The technical information …
When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.
Impacted code will look something like this: document = REXML::Document.new some_xml_doc document.root.text
…recommend adding support for value 0 which would mean limit disabled. Very few users actually need DOS prevention this variable strives to provide as MySQL is typically protected by Firewall to begin with.
open_files_limit = 5000 strangely enough this is where the smart selection of variable default seems to be removed, while it could be needed as it is easy enough to set max_connections to over 5000 or use more than 5000 tables. There is also little "savings" in keeping this …
…is no longer the default and whateveryou are parsing would be vulnerable to the attack: (json_string, :create_\additions => true)
Vaidas Jablonskis recently whipped up fedora packages for the 11 , he's our Chef 11.4.0 MVP!
Brian Bianco filed the first bug for the JSON issue and provided a patch that we took a bit further. redisio ‘ …Brian, you're the Chef 10.22.0 MVP! Brian maintains the ‘
…with a single hardware node won't sabotage the entire system. Even if you're faced with a DoS attack, the distributed infrastructure can neutralize the impact and keep your availability at 100%.
As your content increases in popularity, you need to be prepared for inevitable bursts in traffic. Once again, allowing your data to be distributed across a CDN makes scalability one more thing you don't have to worry about. Giving your content a larger number of …
…that's mostly interesting because of the potential DOS vulnerability it papers over. Plenty of info in this post.
is a kid-focused (but just as useful for adults!) Ruby editor aimed at being an environment for teaching the language. It includes tutorials and a Logo-esque turtle graphics system for more visual types of learning.
Rack is the modular Rubyinterface that …
…many other languages, actually released a security fix last year to patch the great hash collision DoS exploit so many folks made a big deal about (while us language implementers just sighed and said "maybe you don't actually want a hash table here, kids"). Now, the implementation we put in place has again been "exploited" and we're told we need to move to cryptographic hashing. Srsly? How about we just give you a crypto-awesome-mersenne-randomized hash impl you …
…things so that the amount of parameters stored is bounded by a size to remove the possibility of a DOS attack. Rack users should upgrade to the latest version.
JRuby's First Security Fix-Only Release
We debated rolling what we have in our 1.6 branch along with the hashing vulnerability fix (mentioned above) and pushing out 1.6.6. This was unappealing for a couple of reasons:
For stable environments deployed using 1.6.5 we would be asking them to evaluate this security fix and …