Ruby 1.9.3-p327 has been released. The update brings a number of bug fixes, but it also addresses a serious hash-flooding denial-of-service (DOS) vulnerability which affects all older Ruby 1.9 versions and 2.0 variants prior to the 37575 trunk revision.
The security hole – identified by Jean-Philippe Aumasson, one of the creators of SipHash – is caused by faulty hash function and it can be utilized to launch a DOS attack via a cleverly crafter sequence of strings.
Web applications that parse the JSON data sent from an untrusted entity are among the ones affected by the flaw.
Users are recommended to apply the update as soon as possible. In addition, they should restrict the size of the input data to a reasonable size for applications that accept input data from an untrusted entity for parsing.
“We are not sure if we can provide protection against this kind of vulnerability at programming language level in the future,” the developers explained.
Ruby is available for download here