How Not To Fix A Security Bug

14 Jun 2009

November 25th, 2008

November 26th, 2008

November 27th, 2008 to June 2nd, 2009

June 3rd, 2009

June 7th, 2009

June 8th, 2009

June 9th, 2009

June 10th, 2009

June 12th, 2009

June 13th, 2009

June 14th, 2009

June 15th, 2009

tl;dr

This is not a coordinated disclosure. This is a clusterfuck. If you are responsible for running a secure MRI/Ruby installation, your only hope is to pay attention to all changes made to Ruby’s trunk and backport any fixes yourself. Depending on your operating system vendor is not a viable strategy, as downstream vendors are not given sufficient advance warning and are presented with fixes which introduce other bugs or do not apply cleanly to the last released version.

Updated June 16th, 2009