Entity expansion DoS vulnerability in REXML ( XML bomb)
And some small bugfixes are also included.
See tickets and ChangeLog for details.
Download
You can download this release from:
<URL:ftp://ftp.ruby-lang.org/pub/ ruby/1.9/ruby-1.9.3-p392.tar.bz2> SIZE: 10024221 bytes MD5: a810d64e2255179d2f334eb61fb8519c SHA256: 5a7334dfdf62966879bf539b8a9f0b889df6f3b3824fb52a9303c3c3d3a58391
<URL:ftp://ftp.ruby-lang.org/pub/ ruby/1.9/ruby-1.9.3-p392.tar.gz> …
- A Fresh Cup: Double Shot #1073
…language to program systems with disk-operating systems like CP/M or various forms of DOS. Together with graphical user interfaces object-oriented programming languages arrived, and for the web comfortable high-level languages like Java, Ruby or Python with garbage collection appeared. Today we have 4 or 5 layers between the programmer and the CPU: for example for Ruby programs the programs are written in Ruby, Ruby is written in C, C is written in Assembly, and Assembly boils …
- Engine Yard Developer Blog: Rails Development on Windows. Seriously.
- Heroku: Buildpacks: Heroku for Everything
- Headius: Avoiding Hash Lookups in a Ruby Implementation
- Brightbox Ruby Blog: Next Generation Ruby packages for Ubuntu
- Katz Got Your Tongue?: Tokaido Status Update: Implementation Details
- RubyLearning Blog: Ruby in 2012
…in a Commodore 64 was a lot . The entirety of Turbo Pascal 3.02 for DOS, released a year later in 1986, was barely 40k . The very concept of a multiplayer virtual world of any kind - something we take for granted today, since every modern website is essentially a multiplayer game now — was incredibly exotic. Look at the painstaking explanation Lucasfilm had to produce to even get folks to understand what the heck Habitat was, and how it worked:
The technical information …
- High Scalability: Stack Overflow Architecture Update - Now at 95 Million Page Views a Month
- SKORKS: It's Not About The Duct Tape It's About The People (And More)
- Alex R. Young : iOS 5 Redemption: ARC, UIAppearance, Blocks
- A Fresh Cup: Double Shot #854
- Dalibor Nasevic: How to send private messages with Facebook API
- Software by Rob: My Report on StackOverflow DevDays
Unrestricted entity expansion can lead to a DoS vulnerability in REXML. (The CVE identifier will be assigned later.) We strongly recommend to upgrade ruby.
Details
When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.
Impacted code will look something like this: document = REXML::Document.new some_xml_doc document.root.text
When …
- Ruby News: Ruby 1.9.3-p392 is released
- Riding Rails - home: Rails and the Enterprise
- Segment7: The Ruby Stdlib is not a Ghetto
- Mike Perham: Ruby Stdlib is a Ghetto, Pt. 2
- Engine Yard Developer Blog: Rubinius wants to help YOU make Ruby better
- Hobo Blog: Hobo 0.7.5 released
…recommend adding support for value 0 which would mean limit disabled. Very few users actually need DOS prevention this variable strives to provide as MySQL is typically protected by Firewall to begin with.
open_files_limit = 5000 strangely enough this is where the smart selection of variable default seems to be removed, while it could be needed as it is easy enough to set max_connections to over 5000 or use more than 5000 tables. There is also little "savings" in keeping this …
- Engine Yard Developer Blog: Xeround Available on Orchestra
- Journal: Faye integration into a rails app (+ testing!)
- Viget.com Blogs: Redirector: A Redirect Rule Engine for Rails Applications
- a timocracy of one: The unbearable flexibility of schemalesness
- Heroku: Polyglot Platform
- Opscode Blog: Opscode Unveils Private Chef for the Enterprise
…is no longer the default and whatever JSON you are parsing would be vulnerable to the DoS attack: JSON.parse(json_string, :create_\additions => true)
MVPs
Vaidas Jablonskis recently whipped up fedora packages for the Chef 11 Client, he's our Chef 11.4.0 MVP!
Brian Bianco filed the first bug for the JSON issue and provided a patch that we took a bit further. Thanks Brian, you're the Chef 10.22.0 MVP! Brian maintains the ‘ redisio ‘ …
- AkitaOnRails.com - English: From Solo to Full Chef
- Momoro Machine: Getting started with Chef -- A tutorial
- Rails Dog: Generating Thousands of PDFs on EC2 with Ruby
- Engine Yard Developer Blog: Why Chef Should Manage Deploying Your Application
- Trevor Turk: Weekly Digest, 10-12-09
- SD Ruby Podcast: Episode 067: Cooking up a Cloud (with Chef & EC2)
…with a single hardware node won't sabotage the entire system. Even if you're faced with a DoS attack, the distributed infrastructure can neutralize the impact and keep your availability at 100%.
3.) Scalability
As your content increases in popularity, you need to be prepared for inevitable bursts in traffic. Once again, allowing your data to be distributed across a CDN makes scalability one more thing you don't have to worry about. Giving your content a larger number of …
…JRuby that's mostly interesting because of the potential hash-based DOS vulnerability it papers over. Plenty of info in this post.
KidsRuby is a kid-focused (but just as useful for adults!) Ruby editor aimed at being an environment for teaching the Ruby language. It includes tutorials and a Logo-esque turtle graphics system for more visual types of learning.
Rack is the modular Ruby Web server interface that …
- Tender Lovemaking: Profiling Rails startup with DTrace
- Riding Rails - home: Rails/master is now 4.0.0.beta
- giant robots smashing into other giant robots: Test Rake Tasks Like a BOSS
- Envy Labs: Try Ruby Rewrite and Redesign
- gnuu.org: Do Gem Downloads Really Correlate with Gem Usage? Survey Says: No
- New Relic: State of the Stack - A Ruby on Rails Benchmarking Report - Sept. 2011
…many other languages, actually released a security fix last year to patch the great hash collision DoS exploit so many folks made a big deal about (while us language implementers just sighed and said "maybe you don't actually want a hash table here, kids"). Now, the implementation we put in place has again been "exploited" and we're told we need to move to cryptographic hashing. Srsly? How about we just give you a crypto-awesome-mersenne-randomized hash impl you …
- A Fresh Cup: Double Shot #777
- giant robots smashing into other giant robots: This week in open source
- Testing 1,2,3...: More FFI
- Riding Rails - home: [ANN] Rails 3.1.4 has been released!
- Ruby Inside: The Mega March 2012 Ruby and Rails News and Release Roundup
- RubyFlow - Search for jruby: RubyConf Argentina's Call For Paper is open!
…things so that the amount of parameters stored is bounded by a size to remove the possibility of a DOS attack. Rack users should upgrade to the latest version.
JRuby's First Security Fix-Only Release
We debated rolling what we have in our 1.6 branch along with the hashing vulnerability fix (mentioned above) and pushing out 1.6.6. This was unappealing for a couple of reasons:
For stable environments deployed using 1.6.5 we would be asking them to evaluate this security fix and …
- Ruby Inside: JRuby 1.5.0 Released: The Best Alternative Ruby Implementation Gets Even Better
- Headius: Finding Leaks in Ruby Apps with Eclipse Memory Analyzer
- RubyLearning Blog: Clojure 101: A New Course
- blog.webandy.com | Andy Atkinson: WindyCityRails 2008 conference
- Khelll's Blog: Google App Engine, JRuby, Sinatra and some fun!
- format internet:: Video of my talk "Jruby On Rails" at the Sun Open Communities Forum