In association with heise online

16 August 2010, 10:54

Ruby update closes XSS vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Ruby Logo The Ruby developers have issued version 1.9.1-p430 of the Ruby programming language, a security update that addresses a cross-site scripting (XSS) vulnerability. According to the developers, Ruby 1.9.1 patchlevel 430 corrects an XSS issue (CVE-2010-0541) in the WEBrick HTTP server that could have allowed an attacker to inject arbitrary script or HTML by using a specially crafted URI.

Ruby 1.8.6-p399, 1.8.7-p299, 1.9.1-p429, 1.9.2 RC2 and prior releases are reportedly affected. Users running the 1.8.7 branch of Ruby can upgrade to patchlevel 302 to correct the issue. The developers encourage all users to upgrade to the latest patch level as soon as possible.

The vulnerability was originally discovered by Apple in late April of this year and reported to the Ruby security team by Hideki Yamane on the 11th of August. Apple already shipped a fix for the vulnerability in June of this year as part of its Mac OS X 10.6.4 update and Security Update 2010-004 for Mac OS X 10.5.8.

Ruby 1.9.1 is available to download from the project's site. Ruby is licensed under the Ruby licence or under version 2 of the GNU General Public Licence (GPLv2).

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit