Ruby Updates Resolve Cross-Site Scripting Weakness

The latest updates released Today for Ruby address a medium-risk cross-site scripting vulnerability discovered in the reference implementation earlier this year by security researchers from Apple.

Ruby is an object-oriented programming language, which is similar to Perl and Python in syntax and other aspects, but is generally considered more powerful.

The stable version of the reference interpreter is current 1.9.1, but the previous 1.8.7 branch is maintained individually and still sees bug fixes and even feature enhancements.

This latest vulnerability patched in Ruby is identified as CVE-2010-0541 and refers a cross-site scripting weakness in WEBrick, a library providing HTTP services.

An attacker can exploit the vulnerability by crafting a special URI in order to inject arbitrary code. The problem is only limited to agents that don't strictly implement HTTP/1.1.

The bug was discovered by Apple, who fixed it in Mac OS X 10.6.4 security update back in June by forcing the default character set for HTTP error responses to UTF-8.

The vulnerability affects 1.8.6-p399 and prior, 1.8.7-p299 and prior, 1.9.1-p429 and prior, 1.9.2 RC2 and prior, as well as the latest development builds, 1.9.3dev.

The Ruby security team credits Hideki Yamane with reporting the issue to them and advises everyone to update to version 1.9.1 patchlevel 430 of the implementation or 1.8.7 patchlevel 302 for the older branches.

There is no new release for 1.8.6 to address this vulnerability and users of this version are advised to upgrade to 1.8.7 or higher. However, a patch written by Hirokazu Nishio can be downloaded and applied manually.

Development versions can be fixed by updating to the most recent revision available in the official repositories.

People might notice the jump from patchlevel 300 to 302 for the 1.8.7 branch. That is because after patchlevel 301 was released, it was immediately deemed broken.

Ruby is cross-platform and works on several operating systems including Windows, Linux, Mac OS X, Windows CE and most UNIX-based systems. Version 1.9 has also been ported to Symbian.

Ruby 1.9.1-p430 can be downloaded from here.

Ruby 1.8.7-p302 can be downloaded from here.