Blue Box Customers:
News - Blue Box Group, LLC
Ruby Big Decimal Vulnerability
Posted 9 months ago
Yesterday, both the Rails core team and the Ruby team announce a vulnerability in the Big Decimal libraries of Ruby. This vulnerability does not allow for remote access to your data, however it can allow an attacker to create a Denial of Service attack on your application, essentially rendering it down. To quote the Ruby Team…
ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.
We’ve promptly patched our Ruby RPMs and posted information on how to update in our System Status blog. For users on Debian or Ubuntu, updates should be hitting their repos over the next few days. If you can’t upgrade, we recommend you implement the work arounds provided by the Rails core team. Information on those can be found here:
http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby
Our patching instructions for our RPM versions are available here:
http://www.blueboxgrp.com/system_status/2009/06/ruby_security_bug
We strongly recommend for all of our customers to follow those instructions as soon as possible. For assistance, please don’t hesitate to contact us.
Thanks!
- Jesse Proudman
Blue Box Group
Vunerabilities discovered in Ruby
Posted about 1 year ago
Drew Yao of Apple Product Security recently discovered and disclosed several critical vulnerabilities in Ruby which do affect all previously-released versions of Ruby. Starting immediately, over the next few days we’ll be updating the versions installed in our standard Rails stack, as well as those versions which may have been provided by our operating system vendor to revisions which are not vulnerable. We don’t anticipate this causing any problems for any customer-written ruby code.
As we update each system, we will need to restart ruby applications. We anticipate this will entail less than 5 seconds of down-time for each service. (For those of our customers with load-balanced services, this should entail no down time at all.) If you’d like to work with us to schedule a specific time to update the Ruby binary and libraries on your system, please open a support ticket with us.
You can read more about the vulnerabilities discovered here.
The Latest
The Tags
- 2009
- BBG
- Blue
- Box
- BoxPanel
- Bug
- BugMash
- Business
- CDN
- Clients
- Crisis
- Donate
- Events
- Group
- Haiti
- Hostingforhaiti.com
- Install
- iPhone
- IPv6
- Mash
- mod_rails
- mysql
- Network
- NewRelic
- OSS
- Partnerships
- PressBox
- Rails
- RailsConf
- RailsConf09
- Relief
- RPM
- Ruby
- RubyNation
- Sale
- Scalability
- Servers
- Services
- Sponsorships
- syslog-ng
- UTF
- VPS
- Vulnerabilities
- Website
- Wordcamp
- WordPress
- WordPressMU
The Archives
- February 2010
- January 2010
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- March 2008
- January 2008
- December 2007
- October 2007
- August 2007
- June 2007
- May 2007