Yesterday, the first security vulnerability since Engine Yard took over maintenance of Ruby 1.8.6 was reported. It is a Denial of Service vulnerability in BigDecimal, by which an attacker can cause a segmentation fault by providing a very large number as input. ActiveRecord relies on BigDecimal, but this is not Rails specific.
Today, as part of our maintainer role for 1.8.6, we published a fix as part of Ruby 1.8.6 patch-level 369 and as a part of Ruby 1.8.7 patch-level 173.
The issue was initially discovered and fixed in the Ruby 1.9.1 trunk. We backported the fix to 1.8.6 by writing a test, watching it fail, then making it pass (the same way we always do). As part of our test-driven approach, Kirk Haines then added a test in RubySpec to test for the condition. We ran the test suite on OSX, RedHat Enterprise 3, CentOS 4, 32 and 64 bit Engine Yard Solo instances, and an Engine Yard Slice to verify the fix.
Engine Yard customers have been notified about the vulnerability via email with instructions on how to upgrade. Engine Yard Solo customers can get the new, patched version of Ruby 1.8.6 simply by redeploying their environments. In the future, new Engine Yard deployments will automatically get the new version.
Loading ...
Watch a Live Demo of Engine Yard AppCloud
The Engine Yard Newsletter
[...] upgrading your slices to a patched version as soon as possible. For more information please see http://www.engineyard.com/blog/2009/bigdecimal-vulnerability-in-ruby-186-and-187/. « [...]
For existing customers with live production application, do you have an ETA to apply the fix? And how long the application would be taken down while the fix is applied?
Alex, if you are a slice/cluster customer, please open a ticket with support to arrange a maintenance window to be upgraded. We do not patch customer environments without consent..