ruby-core notifies the vendor-sec
mailing list of the vulnerability.
June 8th, 2009
Bug 273213 is created in the
Gentoo bug tracker to address CVE-2009-1904. Like most tickets for
as-yet-undisclosed security vulnerabilities, the ticket was marked
confidential and that “no information should be disclosed until
[the vulnerability] is made public.”
A fix is released
for Debian Unstable. This fix contains the bug that Barry Hess found.
June 14th, 2009
No fix has been released for Ubuntu.
No fix has been released for Red Hat.
No fix has been released for Fedora Core.
No fix has been released for Gentoo.
June 15th, 2009
Ruby 1.8.7-p174 is released
without the BigDecimal#to_f bug.
This is not a coordinated disclosure. This is a clusterfuck. If you are
responsible for running a secure MRI/Ruby installation, your only hope is to pay
attention to all changes made to Ruby’s trunk and backport any fixes yourself.
Depending on your operating system vendor is not a viable strategy, as
downstream vendors are not given sufficient advance warning and are presented
with fixes which introduce other bugs or do not apply cleanly to the last
Updated June 16th, 2009
Michael Koziarski dropped me a note to clarify a
few things. First, his GitHub project was private and was only opened to the
public after the vulnerability was announced. Second, ruby-core sent an
email to the vendor-sec mailing
list 48 hours before the disclosure. I’ve updated the timeline to reflect