Phusion Blog

A denial of service vulnerability in Ruby had been found. An attacker could supply a large value to BigDecimal, causing the Ruby interpreter to crash. The following versions of Ruby are affected:

• Ruby 1.8.6-p368 and all prior versions
• Ruby 1.8.7-p160 and all prior versions
• Ruby Enterprise Edition 20090520 and all prior versions

The following code demonstrates the problem:

require 'bigdecimal'
BigDecimal("9E69999999").to_s("F")

We are releasing Ruby Enterprise Edition 1.8.6-20090610, which is an emergency release containing a backport of the fix. All users are advised to upgrade. We have tested this release against RubySpec, the Rails 2.3 test suite and the Phusion Passenger test suite, and everything passes.

REE releases are usually hosted on RubyForge, but it’s currently down, so we’re temporarily hosting this release on our own web server. Please note that these links are temporary and will be replaced by RubyForge links once RubyForge is online again. (UPDATE: links point to RubyForge now)

• Download source code
• Download x86 Ubuntu package
• Download x86_64 Ubuntu package

To upgrade from a previous version, simply install into the same prefix that you installed to last time. Please also refer to the documentation for upgrade instructions.