Topic: DoS Vulnerability Discovered in Ruby, Fix Available for Kete Software

Topic type:

A recent DoS vulnerability was discovered in the Ruby programming language. Kete is built using Ruby. The good news is that a fix is already available. Please follow the steps outlined to fix your Ruby installation.

From the ruby-lang.org website:

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.

http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/

The vulnerability affects the framework Kete is built apon, so an immediate upgrade of Ruby to protect your app is recommended.

If you are already using Ruby Enterprise Edition in combination with Phusion Passenger (a module for Apache 2), as is suggested by the Kete Installation Guide, simply follow the REE upgrade guide.

If you haven't switched to REE and Passenger, we highly recommend doing it now. Using it over a standard ruby installation brings the following benefits (from the ruby enterprise homepage):

Ruby Enterprise Edition is a server-oriented friendly branch of Ruby which includes various enhancements:

  • A copy-on-write friendly garbage collector. Phusion Passenger uses this, in combination with a technique called preforking, to reduce Ruby on Rails applications' memory usage by 33% on average.
  • An improved memory allocator called tcmalloc, which improves performance quite a bit.
  • The ability to tweak garbage collector settings for maximum server performance, and the ability to inspect the garbage collector's state. (RailsBench GC patch)
  • The ability to dump stack traces for all running threads (caller_for_all_threads), making it easier for one to debug multithreaded Ruby web applications.

http://www.rubyenterpriseedition.com/

If you want to install REE and Phusion Passenger, take a look at the Installation Guide.

If you are unable to use REE, please follow the recommendations for upgrading your Ruby installation as outlined in the vulnerability announcement. Debian and Ubuntu users will likely need to hand patch or wait for packages to become available.

 

Discuss This Topic

There are 0 comments in this discussion.

join this discussion

Tags

Creative Commons Attribution-Share Alike 3.0 New Zealand License
DoS Vulnerability Discovered in Ruby, Fix Available for Kete Software by Kieran P is licensed under a Creative Commons Attribution-Share Alike 3.0 New Zealand License