Ruby update closes XSS vulnerability
The Ruby developers have issued version 1.9.1-p430 of the Ruby programming language, a security update that addresses a cross-site scripting (XSS) vulnerability. According to the developers, Ruby 1.9.1 patchlevel 430 corrects an XSS issue (CVE-2010-0541) in the WEBrick HTTP server that could have allowed an attacker to inject arbitrary script or HTML by using a specially crafted URI.
Ruby 1.8.6-p399, 1.8.7-p299, 1.9.1-p429, 1.9.2 RC2 and prior releases are reportedly affected. Users running the 1.8.7 branch of Ruby can upgrade to patchlevel 302 to correct the issue. The developers encourage all users to upgrade to the latest patch level as soon as possible.
The vulnerability was originally discovered by Apple in late April of this year and reported to the Ruby security team by Hideki Yamane on the 11th of August. Apple already shipped a fix for the vulnerability in June of this year as part of its Mac OS X 10.6.4 update and Security Update 2010-004 for Mac OS X 10.5.8.
- XSS in WEBrick (CVE-2010-0541), a Ruby security advisory.
- Ruby 1.9.2 gets a second release candidate, a report from The H.