A Denial of Service vulnerability has been found and fixed in ruby. The vulnerability is due to the BigDecimal method mishandling certain large input values and can cause the interpreter to crash. This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application. This vulnerability has been assigned the CVE name CVE-2009-1904.
For upgrade instructions and information on affected ruby versions please see the ruby security team’s announcement.
All users are advised to upgrade their ruby installations immediately to avoid this problem. In the event that you are unable to upgrade your ruby installation, or are using an out-of-maintenance ruby version, there is a workaround available on github. You can either install it as a gem, or simply copy the file bigdecimal-segfault-fix.rb into config/initializers of your rails application.
via Riding Rails: DoS Vulnerability in Ruby.
We’ve been encrypting our Ubuntu laptops for a while now, but there hasn’t been a good whole disk encryption option for the Mac until today. RSA is a little behind schedule in the release, but it’s out today.
Installation was a snap. Encrypting the boot drive was easy as well. 5 mins of your time and the takes care of the business in the background while you work. Reboot when it’s done (about 90 mins later for me) and your drive is secure.
Sweet.
Ubuntu pushed patches for the aforementioned Ruby vulnerabilities last night. apt-get to get them in a snap. Thanks for the quick response Ubuntu team!
Nate Clark is right. The risk of the recently announced Ruby vulnerabilities may or may not be high, but let’s not take any chances.
He’s done a quick and good how to on upgrading Ubuntu servers. Check it out. Nate Rules.
Bleh, there are some nasty ruby vulnerabilities out in the wild right now. Details are here. We’ll post an update as Linux distributions get patches to let you know who needs to take action to get fixes.
We’re compiling ruby from source for the time being on production machines until updates appear.
If you need help, it’s support@imapenguin.com
You’ve got port 3306 (MySQL) firewalled off and you want to use a MySQL GUI every once in a while (or maybe a bunch).
This is a snap with ssh.
On your local Linux/BSD/Mac/Unix machine (works in cygwin too) edit your .ssh/config file and add:
Host somemysqlserver
Hostname server.mydomain.com #your mySQL server FQDN or IP
User bob #replace with your valid ssh server username
LocalForward *:13306 localhost:3306
Now do:
ssh -f -N somemysqlserver
You can now connect to your localhost port 13306 and it will forward to your MySQL server’s port 3306.
Plus, it’s free and probably already installed on your systems.
Need help? support@imapenguin.com
We’re going to apply to put “componentable” in the dictionary.
Just what is “componenetable” you ask?
We’ve been looking at a score of “Unified threat” solutions for the last few months. On a VERY broad scope there are a few major components of a security architecture that need to be addressed:
In this example we assume things like firewall/vpn/network based external attacks to the network are covered somewhere.
There are two basic solution groups to solving the above problem areas:
Appliances are:
- Easy to install and manage
- Typically have one interface
but:
- Have questionable scaling issues
- Typically make it difficult to replace one component
Software solutions:
- Have good scaling solutions (it’s trivial to buy better hardware)
- Make it easy to swap one product for a given solution
but:
- Require multiple interface to control, manage and report
- Require operating system management on top of the component’s management requirements
In PART 2, we’ll talk about some ways to select solutions that have some advantages of both approaches, then later in the series we’ll talk about how to develop your apps to do a hybrid of both approaches.
In Ars Technica’s article today called Firefox JavaScript security ‘a complete mess’? More like a hoax they site Mischa Spiegelmock as saying
“I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code,”
and that there wasn’t any new exploit that was discovered. The editor notes that the story link is where they will update the details as they come in.
This is considerably less worrisome than a remote control exploit as this was originally reported as.
Stay tuned, er, browsed, whatever.
“We’re still hard at work on Rails 1.2, which features all the new dandy REST stuff and more, but a serious security concern has come to our attention that needed to be addressed sooner than the release of 1.2 would allow. So here’s Rails 1.1.5!
This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn’t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.
The issue is in fact of such a criticality that we’re not going to dig into the specifics. No need to arm would-be assalients.
So upgrade today, not tomorrow. We’ve made sure that Rails 1.1.5 is fully drop-in compatible with 1.1.4. It only includes a handful of bug fixes and no new features.
For the third time: This is not like ‘sure, I should be flossing my teeth’. This is ‘yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hour’. It’s not a suggestion, it’s a prescription. So get to it!
As always, the trick is to do ‘gem install rails’ and then either changing config/environment.rb, if you’re bound to gems, or do ‘rake rails:freeze:gems’ if you’re freezing gems in vendor.
UPDATE: This problem affects 0.13, 0.14, 1.0, and 1.1.x. So here’s a happy opportunity to upgrade if you still haven’t.
P.S.: If you run a major Rails site and for some reason are completely unable to upgrade to 1.1.5, get in touch with the core team and we’ll try to work with you on a solution.
“
(Via Riding Rails.)
Root Password Readable in Clear Text with Ubuntu: “BBitmaster writes ‘An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away.’
“
(Via Slashdot.)