[SECURITY] Arbitrary code execution vulnerabilities
Time to upgrade your ruby installs. This advisory came out yesterday regarding 5 CVE’s impacting every current ruby release.
Officially impacted versions: 1.8 series
- 1.8.4 and all prior versions
- 1.8.5-p230 and all prior versions
- 1.8.6-p229 and all prior versions
- 1.8.7-p21 and all prior versions
1.9 series
- 1.9.0-1 and all prior versions
Read the advisory for remediation information. Matasano also has a great writeup on the advisory here. Wonder what it would take to blow out the rails params array with this (I’ll leave that to the professionals, I’d rather just patch it and move on right now). Scary stuff!
Update Per comments on the Ruby on Rails blog post you will break your rails install if you upgrade to 1.8.6-p230. And 1.8.7 is only compatible with Rails 2.1. You might want to test out the latest ruby with your app on a dev site before blindly upgrading your production ruby install.
If you want to put a little laugh back into the day, read Zed Shaw’s rant. And yes, there is actually some good info there, it’s worth a read.
Posted in Ruby, Rails | no comments |
On the fly field encryption/decryption
"ActsAsSecure adds an ability to store ActiveRecord model's fields encrypted in a DB. When a model is marked with acts_as_secure, the :binary type fields are recognized as needed to be stored encrypted. The plugin does before_save/after_save/after_find encryption/decryption thus making it transparent for a code using secured models.
The plugin supports a master key approach as well as individual records encryption keys. It does not contain any crypto provider but allows to plug in any external one as long as it supports encrypt/decrypt methods."
http://revolutiononrails.blogspot.com/2007/04/plugin-release-actsassecure.html
The site has some other goodies too.
Posted in Rails | no comments |