mwmitchell-rsolr 0.5.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGES.txt +41 -0
- data/LICENSE +201 -0
- data/README.rdoc +191 -0
- data/Rakefile +40 -0
- data/examples/direct.rb +20 -0
- data/examples/http.rb +16 -0
- data/lib/core_ext.rb +8 -0
- data/lib/rsolr.rb +34 -0
- data/lib/rsolr/connection.rb +7 -0
- data/lib/rsolr/connection/adapter.rb +7 -0
- data/lib/rsolr/connection/adapter/common_methods.rb +46 -0
- data/lib/rsolr/connection/adapter/direct.rb +80 -0
- data/lib/rsolr/connection/adapter/http.rb +51 -0
- data/lib/rsolr/connection/base.rb +121 -0
- data/lib/rsolr/connection/search_ext.rb +126 -0
- data/lib/rsolr/http_client.rb +115 -0
- data/lib/rsolr/http_client/adapter.rb +6 -0
- data/lib/rsolr/http_client/adapter/curb.rb +51 -0
- data/lib/rsolr/http_client/adapter/net_http.rb +48 -0
- data/lib/rsolr/indexer.rb +23 -0
- data/lib/rsolr/mapper.rb +62 -0
- data/lib/rsolr/mapper/rss.rb +29 -0
- data/lib/rsolr/message.rb +73 -0
- data/lib/rsolr/response.rb +8 -0
- data/lib/rsolr/response/base.rb +33 -0
- data/lib/rsolr/response/index_info.rb +22 -0
- data/lib/rsolr/response/query.rb +170 -0
- data/lib/rsolr/response/update.rb +4 -0
- data/test/connection/direct_test.rb +22 -0
- data/test/connection/http_test.rb +19 -0
- data/test/connection/search_ext_test_methods.rb +17 -0
- data/test/connection/test_methods.rb +122 -0
- data/test/http_client/curb_test.rb +19 -0
- data/test/http_client/net_http_test.rb +13 -0
- data/test/http_client/test_methods.rb +40 -0
- data/test/http_client/util_test.rb +40 -0
- data/test/mapper_test.rb +123 -0
- data/test/message_test.rb +87 -0
- data/test/pagination_test.rb +58 -0
- data/test/ruby-lang.org.rss.xml +391 -0
- data/test/test_helpers.rb +39 -0
- metadata +107 -0
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
require File.join(File.dirname(__FILE__), '..', 'test_helpers')
|
|
2
|
+
|
|
3
|
+
class HTTPUtilTest < RSolrBaseTest
|
|
4
|
+
|
|
5
|
+
class DummyClass
|
|
6
|
+
include RSolr::HTTPClient::Util
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def setup
|
|
10
|
+
@c = DummyClass.new
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def test_build_url
|
|
14
|
+
m = @c.method(:build_url)
|
|
15
|
+
assert_equal '/something', m.call('/something')
|
|
16
|
+
assert_equal '/something?q=Testing', m.call('/something', :q=>'Testing')
|
|
17
|
+
assert_equal '/something?array=1&array=2&array=3', m.call('/something', :array=>[1, 2, 3])
|
|
18
|
+
assert_equal '/something?array=1&array=2&array=3&q=A', m.call('/something', :q=>'A', :array=>[1, 2, 3])
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def test_escape
|
|
22
|
+
assert_equal '%2B', @c.escape('+')
|
|
23
|
+
assert_equal 'This+is+a+test', @c.escape('This is a test')
|
|
24
|
+
assert_equal '%3C%3E%2F%5C', @c.escape('<>/\\')
|
|
25
|
+
assert_equal '%22', @c.escape('"')
|
|
26
|
+
assert_equal '%3A', @c.escape(':')
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def test_hash_to_params
|
|
30
|
+
my_params = {
|
|
31
|
+
:z=>'should be last',
|
|
32
|
+
:q=>'test',
|
|
33
|
+
:d=>[1, 2, 3, 4],
|
|
34
|
+
:b=>:zxcv,
|
|
35
|
+
:x=>['!', '*', nil]
|
|
36
|
+
}
|
|
37
|
+
assert_equal 'b=zxcv&d=1&d=2&d=3&d=4&q=test&x=%21&x=%2A&z=should+be+last', @c.hash_to_params(my_params)
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
end
|
data/test/mapper_test.rb
ADDED
|
@@ -0,0 +1,123 @@
|
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helpers')
|
|
2
|
+
|
|
3
|
+
require 'rss'
|
|
4
|
+
|
|
5
|
+
class MapperTest < RSolrBaseTest
|
|
6
|
+
|
|
7
|
+
# simple replacement
|
|
8
|
+
def test_string_map
|
|
9
|
+
data = {
|
|
10
|
+
:skip_this=>'!'
|
|
11
|
+
}
|
|
12
|
+
mapping = {
|
|
13
|
+
:id=>'one',
|
|
14
|
+
:name=>'foo'
|
|
15
|
+
}
|
|
16
|
+
mapper = RSolr::Mapper::Base.new(mapping)
|
|
17
|
+
expected = [mapping]
|
|
18
|
+
assert_equal expected, mapper.map(data)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def test_map_yields_if_block_given
|
|
22
|
+
data = {
|
|
23
|
+
:NUMID=>100,
|
|
24
|
+
:type=>:type_val,
|
|
25
|
+
:code=>:code_val
|
|
26
|
+
}
|
|
27
|
+
mapping = {
|
|
28
|
+
:id=>:NUMID,
|
|
29
|
+
:name=>'foo',
|
|
30
|
+
:category=>[:type, :code]
|
|
31
|
+
}
|
|
32
|
+
mapper = RSolr::Mapper::Base.new(mapping)
|
|
33
|
+
expected = [{:name=>"foo", :category=>[:type_val, :code_val], :id=>100}]
|
|
34
|
+
result = mapper.map(data) do |doc|
|
|
35
|
+
assert expected, doc
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
# test enumerable/array mappings
|
|
40
|
+
def test_array_multi_value
|
|
41
|
+
data = {
|
|
42
|
+
:NUMID=>100,
|
|
43
|
+
:type=>:type_val,
|
|
44
|
+
:code=>:code_val
|
|
45
|
+
}
|
|
46
|
+
mapping = {
|
|
47
|
+
:id=>:NUMID,
|
|
48
|
+
:name=>'foo',
|
|
49
|
+
:category=>[:type, :code]
|
|
50
|
+
}
|
|
51
|
+
mapper = RSolr::Mapper::Base.new(mapping)
|
|
52
|
+
expected = [{:name=>"foo", :category=>[:type_val, :code_val], :id=>100}]
|
|
53
|
+
assert_equal expected, mapper.map(data)
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
# test the proc mapping type
|
|
57
|
+
# test that the second arg in the block is a Solr::Mapper
|
|
58
|
+
def test_proc
|
|
59
|
+
data = [{:name=>'-bach;'}]
|
|
60
|
+
mapping = {
|
|
61
|
+
:name=>proc{|d,index|
|
|
62
|
+
assert_equal Fixnum, index.class
|
|
63
|
+
d[:name].gsub(/\W+/, '')
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
mapper = RSolr::Mapper::Base.new(mapping)
|
|
67
|
+
expected = [{:name=>"bach"}]
|
|
68
|
+
assert_equal expected, mapper.map(data)
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
def rss_file
|
|
72
|
+
@rss_file ||= File.join(File.dirname(__FILE__), 'ruby-lang.org.rss.xml')
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
# load an rss feed
|
|
76
|
+
# create a mapping
|
|
77
|
+
# map it and test the fields
|
|
78
|
+
def raw_mapping_rss_docs
|
|
79
|
+
rss = RSS::Parser.parse(File.read(rss_file), false)
|
|
80
|
+
mapping = {
|
|
81
|
+
:channel=>rss.channel.title,
|
|
82
|
+
:url=>rss.channel.link,
|
|
83
|
+
:total=>rss.items.size,
|
|
84
|
+
:title=>proc {|item,index| item.title },
|
|
85
|
+
:link=>proc{|item,index| item.link },
|
|
86
|
+
:published=>proc{|item,index| item.date },
|
|
87
|
+
:description=>proc{|item,index| item.description }
|
|
88
|
+
}
|
|
89
|
+
mapper = RSolr::Mapper::Base.new(mapping)
|
|
90
|
+
mapper.map(rss.items)
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
# load an rss feed
|
|
94
|
+
# create a mapping
|
|
95
|
+
# map it and test the fields
|
|
96
|
+
def rss_mapper_docs
|
|
97
|
+
m = RSolr::Mapper::RSS.new
|
|
98
|
+
mapping = {
|
|
99
|
+
:channel=>:'channel.title',
|
|
100
|
+
:url=>:'channel.link',
|
|
101
|
+
:total=>:'items.size',
|
|
102
|
+
:title=>proc {|item,index| item.title },
|
|
103
|
+
:link=>proc {|item,index| item.link },
|
|
104
|
+
:published=>proc {|item,index| item.date },
|
|
105
|
+
:description=>proc {|item,index| item.description }
|
|
106
|
+
}
|
|
107
|
+
m.map(rss_file, mapping)
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
def test_rss
|
|
111
|
+
[rss_mapper_docs, raw_mapping_rss_docs].each do |docs|
|
|
112
|
+
assert_equal 10, docs.size
|
|
113
|
+
first = docs.first
|
|
114
|
+
# make sure the mapped solr docs have all of the keys from the mapping
|
|
115
|
+
#assert mapping.keys.all?{|mapping_key| first.keys.include?(mapping_key) }
|
|
116
|
+
assert_equal docs.size, docs.first[:total].to_i
|
|
117
|
+
assert_equal Time.parse('Mon Nov 10 09:55:53 -0500 2008'), first[:published]
|
|
118
|
+
assert_equal 'http://www.ruby-lang.org/en/feeds/news.rss/', first[:url]
|
|
119
|
+
assert_equal 'Scotland on Rails 2009', first[:title]
|
|
120
|
+
end
|
|
121
|
+
end
|
|
122
|
+
|
|
123
|
+
end
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helpers')
|
|
2
|
+
|
|
3
|
+
class MessageTest < RSolrBaseTest
|
|
4
|
+
|
|
5
|
+
# call all of the simple methods...
|
|
6
|
+
# make sure the xml string is valid
|
|
7
|
+
# ensure the class is actually Solr::XML
|
|
8
|
+
def test_simple_methods
|
|
9
|
+
[:optimize, :rollback, :commit].each do |meth|
|
|
10
|
+
result = RSolr::Message.send(meth)
|
|
11
|
+
assert_equal "<#{meth}/>", result.to_s
|
|
12
|
+
assert_equal String, result.class
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def test_add_yields_field_attrs_if_block_given
|
|
17
|
+
result = RSolr::Message.add({:id=>1}, :boost=>200.00) do |hash_doc, doc_xml_attrs|
|
|
18
|
+
doc_xml_attrs[:boost] = 10
|
|
19
|
+
end
|
|
20
|
+
assert_equal '<add boost="200.0"><doc><field name="id" boost="10">1</field></doc></add>', result
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def test_delete_by_id
|
|
24
|
+
result = RSolr::Message.delete_by_id(10)
|
|
25
|
+
assert_equal String, result.class
|
|
26
|
+
assert_equal '<delete><id>10</id></delete>', result.to_s
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def test_delete_by_multiple_ids
|
|
30
|
+
result = RSolr::Message.delete_by_id([1, 2, 3])
|
|
31
|
+
assert_equal String, result.class
|
|
32
|
+
assert_equal '<delete><id>1</id><id>2</id><id>3</id></delete>', result.to_s
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def test_delete_by_query
|
|
36
|
+
result = RSolr::Message.delete_by_id('status:"LOST"')
|
|
37
|
+
assert_equal String, result.class
|
|
38
|
+
assert_equal '<delete><id>status:"LOST"</id></delete>', result.to_s
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
def test_delete_by_multiple_queries
|
|
42
|
+
result = RSolr::Message.delete_by_id(['status:"LOST"', 'quantity:0'])
|
|
43
|
+
assert_equal String, result.class
|
|
44
|
+
assert_equal '<delete><id>status:"LOST"</id><id>quantity:0</id></delete>', result.to_s
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
# add a single hash ("doc")
|
|
48
|
+
def test_add_hash
|
|
49
|
+
data = {
|
|
50
|
+
:id=>1,
|
|
51
|
+
:name=>'matt'
|
|
52
|
+
}
|
|
53
|
+
|
|
54
|
+
expected = '<add><doc><field name="id">1</field><field name="name">matt</field></doc></add>'
|
|
55
|
+
assert_equal expected, RSolr::Message.add(data).to_s
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
# add an array of hashes
|
|
59
|
+
def test_add_array
|
|
60
|
+
data = [
|
|
61
|
+
{
|
|
62
|
+
:id=>1,
|
|
63
|
+
:name=>'matt'
|
|
64
|
+
},
|
|
65
|
+
{
|
|
66
|
+
:id=>2,
|
|
67
|
+
:name=>'sam'
|
|
68
|
+
}
|
|
69
|
+
]
|
|
70
|
+
|
|
71
|
+
message = RSolr::Message.add(data)
|
|
72
|
+
expected = '<add><doc><field name="id">1</field><field name="name">matt</field></doc><doc><field name="id">2</field><field name="name">sam</field></doc></add>'
|
|
73
|
+
|
|
74
|
+
assert_equal expected, message.to_s
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
# multiValue field support test, thanks to Fouad Mardini!
|
|
78
|
+
def test_add_multi_valued_field
|
|
79
|
+
data = {
|
|
80
|
+
:id => 1,
|
|
81
|
+
:name => ['matt1', 'matt2']
|
|
82
|
+
}
|
|
83
|
+
expected = '<add><doc><field name="id">1</field><field name="name">matt1</field><field name="name">matt2</field></doc></add>'
|
|
84
|
+
assert_equal expected, RSolr::Message.add(data).to_s
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
end
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helpers')
|
|
2
|
+
|
|
3
|
+
class PaginationTest < RSolrBaseTest
|
|
4
|
+
|
|
5
|
+
def create_response(params={})
|
|
6
|
+
response = RSolr::Response::Query::Base.new(mock_query_response)
|
|
7
|
+
response.params.merge! params
|
|
8
|
+
response
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
# test the Solr::Connection pagination methods
|
|
12
|
+
def test_connection_calculate_start
|
|
13
|
+
dummy_connection = RSolr::Connection::Base.new(nil)
|
|
14
|
+
assert_equal 15, dummy_connection.send(:calculate_start, 2, 15)
|
|
15
|
+
assert_equal 450, dummy_connection.send(:calculate_start, 10, 50)
|
|
16
|
+
assert_equal 0, dummy_connection.send(:calculate_start, 0, 50)
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def test_connection_modify_params_for_pagination
|
|
20
|
+
dummy_connection = RSolr::Connection::Base.new(nil)
|
|
21
|
+
p = dummy_connection.send(:modify_params_for_pagination, {:page=>1})
|
|
22
|
+
assert_equal 0, p[:start]
|
|
23
|
+
assert_equal 10, p[:rows]
|
|
24
|
+
#
|
|
25
|
+
p = dummy_connection.send(:modify_params_for_pagination, {:page=>10, :per_page=>100})
|
|
26
|
+
assert_equal 900, p[:start]
|
|
27
|
+
assert_equal 100, p[:rows]
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def test_math
|
|
31
|
+
response = create_response({'rows'=>5})
|
|
32
|
+
assert_equal response.params['rows'], response.per_page
|
|
33
|
+
assert_equal 26, response.total
|
|
34
|
+
assert_equal 1, response.current_page
|
|
35
|
+
assert_equal 6, response.total_pages
|
|
36
|
+
|
|
37
|
+
# now switch the rows (per_page)
|
|
38
|
+
# total and current page should remain the same value
|
|
39
|
+
# page_count should change
|
|
40
|
+
|
|
41
|
+
response = create_response({'rows'=>2})
|
|
42
|
+
assert_equal response.params['rows'], response.per_page
|
|
43
|
+
assert_equal 26, response.total
|
|
44
|
+
assert_equal 1, response.current_page
|
|
45
|
+
assert_equal 13, response.total_pages
|
|
46
|
+
|
|
47
|
+
# now switch the start
|
|
48
|
+
|
|
49
|
+
response = create_response({'rows'=>3})
|
|
50
|
+
response.instance_variable_set '@start', 4
|
|
51
|
+
assert_equal response.params['rows'], response.per_page
|
|
52
|
+
assert_equal 26, response.total
|
|
53
|
+
# 2 per page, currently on the 10th item
|
|
54
|
+
assert_equal 2, response.current_page
|
|
55
|
+
assert_equal 9, response.total_pages
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
end
|
|
@@ -0,0 +1,391 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
+
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/">
|
|
3
|
+
<channel>
|
|
4
|
+
<title>Ruby News</title>
|
|
5
|
+
<link>http://www.ruby-lang.org/en/feeds/news.rss/</link>
|
|
6
|
+
<language>en-us</language>
|
|
7
|
+
<ttl>40</ttl>
|
|
8
|
+
<description>The latest news from Ruby-Lang.org.</description>
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
<item>
|
|
12
|
+
<title>Scotland on Rails 2009</title>
|
|
13
|
+
<description><p><a href="http://scotlandonrails.com">Scotland on Rails</a> is pleased to announce that Conference2009 will be held March 26-28 in Edinburgh, Scotland.</p>
|
|
14
|
+
|
|
15
|
+
|
|
16
|
+
<p>We are now accepting submissions. The closing date for submissions is December 1st 2008, so there&#8217;s still time! Please mail your plaintext proposals for 45 minute sessions to <a href="mailto:submissions@scotlandonrails.com">submissions@scotlandonrails.com</a>.</p>
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
<p>Alternatively, if you are interested in sponsoring the conference, please mail <a href="mailto:sponsorship@scotlandonrails.com">sponsorship@scotlandonrails.com</a> for a prospectus.</p>
|
|
20
|
+
|
|
21
|
+
|
|
22
|
+
<p>Lastly, if you wish to be notified when we open for registration, you can sign up on the site.</p>
|
|
23
|
+
|
|
24
|
+
|
|
25
|
+
<p>Come and enjoy all that Edinburgh has to offer (whisky! castle! volcano! ruby! whisky!) in March. We hope to see you there.</p> </description>
|
|
26
|
+
<pubDate>Mon, 10 Nov 2008 14:55:53 GMT</pubDate>
|
|
27
|
+
<guid>http://www.ruby-lang.org/en/news/2008/11/10/scotland-on-rails-2009/</guid>
|
|
28
|
+
<link>http://www.ruby-lang.org/en/news/2008/11/10/scotland-on-rails-2009/</link>
|
|
29
|
+
</item>
|
|
30
|
+
|
|
31
|
+
<item>
|
|
32
|
+
<title>MountainWest RubyConf 2009 dates and CFP</title>
|
|
33
|
+
<description><p><a href="http://mtnwestrubyconf.org">MountainWest RubyConf 2009</a> will be held March 13-14, 2009, in Salt Lake City, Utah, <span class="caps">USA</span>.</p>
|
|
34
|
+
|
|
35
|
+
|
|
36
|
+
<p>Proposals to speak at this regional conference are now being accepted. Please send your proposal to proposals@mtnwestrubyconf.org.</p>
|
|
37
|
+
|
|
38
|
+
|
|
39
|
+
<p>The submission deadline is midnight (MST) on December 31st, 2008.</p>
|
|
40
|
+
|
|
41
|
+
|
|
42
|
+
<p>There are sponsorship opportunities available as well. Please contact sponsorship@mtnwestruby.org if you are interested.</p>
|
|
43
|
+
|
|
44
|
+
|
|
45
|
+
<p>Please see <a href="http://mtnwestrubyconf.org">mtnwestrubyconf.org/</a> for more details as they become available.</p> </description>
|
|
46
|
+
<pubDate>Sat, 08 Nov 2008 15:03:32 GMT</pubDate>
|
|
47
|
+
<guid>http://www.ruby-lang.org/en/news/2008/11/08/mountainwest-rubyconf-2009-dates-and-cfp/</guid>
|
|
48
|
+
<link>http://www.ruby-lang.org/en/news/2008/11/08/mountainwest-rubyconf-2009-dates-and-cfp/</link>
|
|
49
|
+
</item>
|
|
50
|
+
|
|
51
|
+
<item>
|
|
52
|
+
<title> Ruby 1.9.1-preview 1 released</title>
|
|
53
|
+
<description><p>Yugui (Yuki Sonoda) announced the release of Ruby 1.9.1-preview 1:</p>
|
|
54
|
+
|
|
55
|
+
|
|
56
|
+
<blockquote>
|
|
57
|
+
This is a preview release of Ruby 1.9.1, which will be the first stable version of the Ruby 1.9 series. Try it out now and get an early taste of a modern, faster, multilingualized, and much improved Ruby with clearer syntax.<br><br>
|
|
58
|
+
|
|
59
|
+
<p>If you encounter any bugs or problems, please let us know via the official issue tracking system:</p>
|
|
60
|
+
|
|
61
|
+
|
|
62
|
+
<p><a href="http://redmine.ruby-lang.org">http://redmine.ruby-lang.org</a></p>
|
|
63
|
+
|
|
64
|
+
|
|
65
|
+
</blockquote>
|
|
66
|
+
|
|
67
|
+
<p>You can download the release from;</p>
|
|
68
|
+
|
|
69
|
+
|
|
70
|
+
<ul>
|
|
71
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-preview1.tar.bz2">ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-preview1.tar.bz2</a>
|
|
72
|
+
|
|
73
|
+
<p><span class="caps">SIZE</span>: 6169022 bytes
|
|
74
|
+
<span class="caps">MD5</span>: 0d51dc949bb6b438ad4ebfabbb5f6754
|
|
75
|
+
<span class="caps">SHA256</span>: dc39000537d7c7528ef26af8e1c3a6215b30b6c579c615eaec7013513410456a</p></li>
|
|
76
|
+
</ul>
|
|
77
|
+
|
|
78
|
+
|
|
79
|
+
<ul>
|
|
80
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-preview1.tar.gz">ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-preview1.tar.gz</a>
|
|
81
|
+
|
|
82
|
+
<p><span class="caps">SIZE</span>: 7409682 bytes
|
|
83
|
+
<span class="caps">MD5</span>: 738f701532452fd5d36f5c155f3ba692
|
|
84
|
+
<span class="caps">SHA256</span>: 99443bdae9f94ba7b08de187881f8cbee172379edf9c5fa85fc04c869150ff6d</p></li>
|
|
85
|
+
</ul>
|
|
86
|
+
|
|
87
|
+
|
|
88
|
+
<ul>
|
|
89
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-preview1.zip">ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-preview1.zip</a>
|
|
90
|
+
|
|
91
|
+
<p><span class="caps">SIZE</span>: 8569116 bytes
|
|
92
|
+
<span class="caps">MD5</span>: 5f68246246c4cd29d8a3b6b34b29b6ac
|
|
93
|
+
<span class="caps">SHA256</span>: a6c3a7bf7ea83b595024764926353e08596a78e40c57ac58c568662e5e88df95</p></li>
|
|
94
|
+
</ul> </description>
|
|
95
|
+
<pubDate>Tue, 28 Oct 2008 19:45:27 GMT</pubDate>
|
|
96
|
+
<guid>http://www.ruby-lang.org/en/news/2008/10/28/ruby-1-9-1-preview-1-released/</guid>
|
|
97
|
+
<link>http://www.ruby-lang.org/en/news/2008/10/28/ruby-1-9-1-preview-1-released/</link>
|
|
98
|
+
</item>
|
|
99
|
+
|
|
100
|
+
<item>
|
|
101
|
+
<title>RubyConf 2008 is Sold-out</title>
|
|
102
|
+
<description><p><a href="http://rubyconf.org/">RubyConf 2008</a> is sold out</p>
|
|
103
|
+
|
|
104
|
+
|
|
105
|
+
<p>However, there is a <a href="http://www.regonline.com/builder/site/Default.aspx?eventid=636797">waiting list</a> you can join in case of cancellations.</p> </description>
|
|
106
|
+
<pubDate>Thu, 02 Oct 2008 23:21:06 GMT</pubDate>
|
|
107
|
+
<guid>http://www.ruby-lang.org/en/news/2008/10/02/rubyconf-2008-is-sold-out/</guid>
|
|
108
|
+
<link>http://www.ruby-lang.org/en/news/2008/10/02/rubyconf-2008-is-sold-out/</link>
|
|
109
|
+
</item>
|
|
110
|
+
|
|
111
|
+
<item>
|
|
112
|
+
<title>Voices That Matter 2008</title>
|
|
113
|
+
<description><p>Pearson Education is running a <a href="http://www.voicesthatmatter.com/ruby2008/">Voices That Matter</a> Ruby conference this fall in Boston. The conference, from the same people who Addison-Wesley's Professional Ruby Series, will give you a chance to meet and learn from those very same authors. Don't miss a chance to interact with so many Ruby professionals.</p> </description>
|
|
114
|
+
<pubDate>Tue, 09 Sep 2008 02:49:37 GMT</pubDate>
|
|
115
|
+
<guid>http://www.ruby-lang.org/en/news/2008/09/09/voices-that-matter-2008/</guid>
|
|
116
|
+
<link>http://www.ruby-lang.org/en/news/2008/09/09/voices-that-matter-2008/</link>
|
|
117
|
+
</item>
|
|
118
|
+
|
|
119
|
+
<item>
|
|
120
|
+
<title>DoS vulnerability in REXML</title>
|
|
121
|
+
<description><p>There is a DoS vulnerability in the REXML library included in the Ruby
|
|
122
|
+
Standard Library. A so-called "XML entity explosion" attack technique
|
|
123
|
+
can be used for remotely bringing down (disabling) any application
|
|
124
|
+
which parses user-provided XML using REXML.</p><p>Most Rails applications will be vulnerable because Rails parses
|
|
125
|
+
user-provided XML using REXML by default. </p> <h2><a name="label-0" id="label-0">Impact</a></h2><!-- RDLabel: "Impact" --><p>An attacker can cause a denial of service by causing REXML to parse a
|
|
126
|
+
document containing recursively nested entities such as:</p><pre>&lt;?xml version="1.0" encoding="UTF-8"?&gt;
|
|
127
|
+
&lt;!DOCTYPE member [
|
|
128
|
+
&lt;!ENTITY a "&amp;b;&amp;b;&amp;b;&amp;b;&amp;b;&amp;b;&amp;b;&amp;b;&amp;b;&amp;b;"&gt;
|
|
129
|
+
&lt;!ENTITY b "&amp;c;&amp;c;&amp;c;&amp;c;&amp;c;&amp;c;&amp;c;&amp;c;&amp;c;&amp;c;"&gt;
|
|
130
|
+
&lt;!ENTITY c "&amp;d;&amp;d;&amp;d;&amp;d;&amp;d;&amp;d;&amp;d;&amp;d;&amp;d;&amp;d;"&gt;
|
|
131
|
+
&lt;!ENTITY d "&amp;e;&amp;e;&amp;e;&amp;e;&amp;e;&amp;e;&amp;e;&amp;e;&amp;e;&amp;e;"&gt;
|
|
132
|
+
&lt;!ENTITY e "&amp;f;&amp;f;&amp;f;&amp;f;&amp;f;&amp;f;&amp;f;&amp;f;&amp;f;&amp;f;"&gt;
|
|
133
|
+
&lt;!ENTITY f "&amp;g;&amp;g;&amp;g;&amp;g;&amp;g;&amp;g;&amp;g;&amp;g;&amp;g;&amp;g;"&gt;
|
|
134
|
+
&lt;!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"&gt;
|
|
135
|
+
]&gt;
|
|
136
|
+
&lt;member&gt;
|
|
137
|
+
&amp;a;
|
|
138
|
+
&lt;/member&gt;</pre><h2><a name="label-1" id="label-1">Vulnerable versions</a></h2><!-- RDLabel: "Vulnerable versions" --><h3><a name="label-2" id="label-2">1.8 series</a></h3><!-- RDLabel: "1.8 series" --><ul>
|
|
139
|
+
<li>1.8.6-p287 and all prior versions</li>
|
|
140
|
+
<li>1.8.7-p72 and all prior versions</li>
|
|
141
|
+
</ul><h3><a name="label-3" id="label-3">1.9 series</a></h3><!-- RDLabel: "1.9 series" --><ul>
|
|
142
|
+
<li>all versions</li>
|
|
143
|
+
</ul><h2><a name="label-4" id="label-4">Solution</a></h2><!-- RDLabel: "Solution" --><p>Please download the following monkey patch to fix this problem.</p><ul>
|
|
144
|
+
<li><a href="http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix2.rb">&lt;URL:http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix2.rb&gt;</a></li>
|
|
145
|
+
</ul><p>Then fix your application to load rexml-expansion-fix2.rb before using
|
|
146
|
+
REXML.</p><pre>require "rexml-expansion-fix2"
|
|
147
|
+
...
|
|
148
|
+
doc = REXML::Document.new(str)
|
|
149
|
+
...</pre><p>If you have a Rails application, copy rexml-expansion-fix2.rb into a
|
|
150
|
+
directory on the load path (such as RAILS_ROOT/lib/), and put the
|
|
151
|
+
following line into config/environment.rb.</p><pre>require "rexml-expansion-fix2"</pre><p>If your application is Rails 2.1 or later, you can simply copy
|
|
152
|
+
rexml-expansion-fix2.rb to RAILS_ROOT/config/initializers and it will
|
|
153
|
+
be required automatically.</p><p>By default, XML entity expansion limit is 10000. You can change it by
|
|
154
|
+
changing REXML::Document.entity_expansion_limit. e.g.</p><pre>REXML::Document.entity_expansion_limit = 1000</pre><p>This fix will be made available as a gem and used by future versions of
|
|
155
|
+
rails, but users should take corrective action immediately.</p><h2><a name="label-5" id="label-5">Credit</a></h2><!-- RDLabel: "Credit" --><p>Credit to Luka Treiber and Mitja Kolsek of ACROS Security for
|
|
156
|
+
disclosing the problem to Ruby and Rails Security Teams.</p><p>Credit to Michael Koziarski of Rails Core Team for creating the monkey
|
|
157
|
+
patch to fix the vulnerability.</p><h2><a name="label-6" id="label-6">Changes</a></h2><!-- RDLabel: "Changes" --><ul>
|
|
158
|
+
<li>2008-08-29 18:46 +09:00 fixed the summary not to mislead that this vulnerability is Rails specific.</li>
|
|
159
|
+
<li>2008-11-09 12:40 +09:00 fixed <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502535">a bug of the monkey patch</a>.</li>
|
|
160
|
+
</ul></description>
|
|
161
|
+
<pubDate>Sat, 23 Aug 2008 07:56:11 GMT</pubDate>
|
|
162
|
+
<guid>http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/</guid>
|
|
163
|
+
<link>http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/</link>
|
|
164
|
+
</item>
|
|
165
|
+
|
|
166
|
+
<item>
|
|
167
|
+
<title>Ruby 1.8.7-p72 and 1.8.6-p287 released</title>
|
|
168
|
+
<description><p>Ruby 1.8.7-p72 and 1.8.6-p287 have been released.
|
|
169
|
+
The last releases were incomplete, and the new releases include fixes of <a href="http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/#label-3">the previously announced vulnerability of dl</a>.</p><p>The released source archives are available at:</p><ul>
|
|
170
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.gz">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.gz&gt;</a></li>
|
|
171
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.bz2">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.bz2&gt;</a></li>
|
|
172
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.zip">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.zip&gt;</a></li>
|
|
173
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz&gt;</a></li>
|
|
174
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.bz2">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.bz2&gt;</a></li>
|
|
175
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.zip">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.zip&gt;</a></li>
|
|
176
|
+
</ul> <p>Checksums:</p><pre>MD5(ruby-1.8.6-p287.tar.gz)= f6cd51001534ced5375339707a757556
|
|
177
|
+
SHA256(ruby-1.8.6-p287.tar.gz)= 6463d1932c34ff72b79174ac7d2c28940d29d147928250928a00a0dbee43db57
|
|
178
|
+
SIZE(ruby-1.8.6-p287.tar.gz)= 4590393
|
|
179
|
+
|
|
180
|
+
MD5(ruby-1.8.6-p287.tar.bz2)= 80b5f3db12531d36e6c81fac6d05dda9
|
|
181
|
+
SHA256(ruby-1.8.6-p287.tar.bz2)= ac15a1cb78c50ec9cc7e831616a143586bdd566bc865c6b769a0c47b3b3936ce
|
|
182
|
+
SIZE(ruby-1.8.6-p287.tar.bz2)= 3956902
|
|
183
|
+
|
|
184
|
+
MD5(ruby-1.8.6-p287.zip)= e555d51f5b387fdd52ae53d9bafa13f5
|
|
185
|
+
SHA256(ruby-1.8.6-p287.zip)= 844c66c015565839531a34b83e0526cd4fa2a71cc0f5cc8ddb0d4c158403543a
|
|
186
|
+
SIZE(ruby-1.8.6-p287.zip)= 5606238
|
|
187
|
+
|
|
188
|
+
MD5(ruby-1.8.7-p72.tar.gz)= 5e5b7189674b3a7f69401284f6a7a36d
|
|
189
|
+
SHA256(ruby-1.8.7-p72.tar.gz)= e15ca005076f5d6f91fc856fdfbd071698a4cadac3c6e25855899dba1f6fc5ef
|
|
190
|
+
SIZE(ruby-1.8.7-p72.tar.gz)= 4805594
|
|
191
|
+
|
|
192
|
+
MD5(ruby-1.8.7-p72.tar.bz2)= 0b215c46b89b28d7ab8d56d96e72d5b9
|
|
193
|
+
SHA256(ruby-1.8.7-p72.tar.bz2)= a8f8a28e286dd76747d8e97ea5cfe7a315eb896906ab8c8606d687d9f6f6146e
|
|
194
|
+
SIZE(ruby-1.8.7-p72.tar.bz2)= 4127450
|
|
195
|
+
|
|
196
|
+
MD5(ruby-1.8.7-p72.zip)= b44fe5a12d4bf138ba0d3660e13a8216
|
|
197
|
+
SHA256(ruby-1.8.7-p72.zip)= 77e67be4aa8c3e041e1d20d24e5fcf2e33ad9bccb3da3332b6c0a5b648334903
|
|
198
|
+
SIZE(ruby-1.8.7-p72.zip)= 5855902</pre><p>For a full list of all changes, see the bundled files named ChangeLog, which are also available at the following locations:</p><ul>
|
|
199
|
+
<li><a href="http://svn.ruby-lang.org/repos/ruby/tags/v1_8_6_287/ChangeLog">&lt;URL:http://svn.ruby-lang.org/repos/ruby/tags/v1_8_6_287/ChangeLog&gt;</a></li>
|
|
200
|
+
<li><a href="http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_72/ChangeLog">&lt;URL:http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_72/ChangeLog&gt;</a></li>
|
|
201
|
+
</ul></description>
|
|
202
|
+
<pubDate>Mon, 11 Aug 2008 02:01:00 GMT</pubDate>
|
|
203
|
+
<guid>http://www.ruby-lang.org/en/news/2008/08/11/ruby-1-8-7-p72-and-1-8-6-p287-released/</guid>
|
|
204
|
+
<link>http://www.ruby-lang.org/en/news/2008/08/11/ruby-1-8-7-p72-and-1-8-6-p287-released/</link>
|
|
205
|
+
</item>
|
|
206
|
+
|
|
207
|
+
<item>
|
|
208
|
+
<title>Multiple vulnerabilities in Ruby</title>
|
|
209
|
+
<description><p>Multiple vulnerabilities have been discovered in Ruby. It's
|
|
210
|
+
recommended that you upgrade to the latest versions.</p> <h2><a name="label-0" id="label-0">Details</a></h2><!-- RDLabel: "Details" --><p>The following vulnerabilities have been discovered.</p><h3><a name="label-1" id="label-1">Several vulnerabilities in safe level</a></h3><!-- RDLabel: "Several vulnerabilities in safe level" --><p>Several vulnerabilities in safe level have been discovered.</p><ul>
|
|
211
|
+
<li><p>untrace_var is permitted at safe level 4.</p>
|
|
212
|
+
<pre>trace_var(:$VAR) {|val| puts "$VAR = #{val}" }
|
|
213
|
+
|
|
214
|
+
Thread.new do
|
|
215
|
+
$SAFE = 4
|
|
216
|
+
eval %q{
|
|
217
|
+
proc = untrace_var :$VAR
|
|
218
|
+
proc.first.call("aaa")
|
|
219
|
+
}
|
|
220
|
+
end.join</pre></li>
|
|
221
|
+
<li><p>$PROGRAM_NAME may be modified at safe level 4.</p>
|
|
222
|
+
<pre>Thread.new do
|
|
223
|
+
$SAFE = 4
|
|
224
|
+
eval %q{$PROGRAM_NAME.replace "Hello, World!"}
|
|
225
|
+
end.join
|
|
226
|
+
|
|
227
|
+
$PROGRAM_NAME #=&gt; "Hello, World!"</pre></li>
|
|
228
|
+
<li><p>Insecure methods may be called at safe level 1-3.</p>
|
|
229
|
+
<pre>class Hello
|
|
230
|
+
def world
|
|
231
|
+
Thread.new do
|
|
232
|
+
$SAFE = 4
|
|
233
|
+
msg = "Hello, World!"
|
|
234
|
+
def msg.size
|
|
235
|
+
self.replace self*10 # replace string
|
|
236
|
+
1 # return wrong size
|
|
237
|
+
end
|
|
238
|
+
msg
|
|
239
|
+
end.value
|
|
240
|
+
end
|
|
241
|
+
end
|
|
242
|
+
|
|
243
|
+
$SAFE = 1 # or 2, or 3
|
|
244
|
+
s = Hello.new.world
|
|
245
|
+
if s.kind_of?(String)
|
|
246
|
+
puts s if s.size &lt; 20 # print string which size is less than 20
|
|
247
|
+
end</pre></li>
|
|
248
|
+
<li><p>Syslog operations are permitted at safe level 4.</p>
|
|
249
|
+
<pre>require "syslog"
|
|
250
|
+
|
|
251
|
+
Syslog.open
|
|
252
|
+
|
|
253
|
+
Thread.new do
|
|
254
|
+
$SAFE = 4
|
|
255
|
+
eval %q{
|
|
256
|
+
Syslog.log(Syslog::LOG_WARNING, "Hello, World!")
|
|
257
|
+
Syslog.mask = Syslog::LOG_UPTO(Syslog::LOG_EMERG)
|
|
258
|
+
Syslog.info("masked")
|
|
259
|
+
Syslog.close
|
|
260
|
+
}
|
|
261
|
+
end.join</pre></li>
|
|
262
|
+
</ul><p>These vulnerabilities were reported by Keita Yamaguchi.</p><h3><a name="label-2" id="label-2">DoS vulnerability in WEBrick</a></h3><!-- RDLabel: "DoS vulnerability in WEBrick" --><p>WEBrick::HTTP::DefaultFileHandler is faulty of exponential time taking
|
|
263
|
+
requests due to a backtracking regular expression in
|
|
264
|
+
WEBrick::HTTPUtils.split_header_value.</p><p>Exploitable server:</p><pre>require 'webrick'
|
|
265
|
+
WEBrick::HTTPServer.new(:Port =&gt; 2000, :DocumentRoot =&gt; "/etc").start</pre><p>Attack:</p><pre>require 'net/http'
|
|
266
|
+
res = Net::HTTP.start("localhost", 2000) { |http|
|
|
267
|
+
req = Net::HTTP::Get.new("/passwd")
|
|
268
|
+
req['If-None-Match'] = %q{meh=""} + %q{foo="bar" } * 100
|
|
269
|
+
http.request(req)
|
|
270
|
+
}
|
|
271
|
+
p res</pre><p>The request likely won't finish in this universe.</p><p>This vulnerability was reported by Christian Neukirchen.</p><h3><a name="label-3" id="label-3">Lack of taintness check in dl</a></h3><!-- RDLabel: "Lack of taintness check in dl" --><p>dl doesn't check taintness, so it could allow attackers to call
|
|
272
|
+
dangerous functions.</p><pre>require 'dl'
|
|
273
|
+
$SAFE = 1
|
|
274
|
+
h = DL.dlopen(nil)
|
|
275
|
+
sys = h.sym('system', 'IP')
|
|
276
|
+
uname = 'uname -rs'.taint
|
|
277
|
+
sys[uname]</pre><p>This vulnerability was reported by sheepman.</p><h3><a name="label-4" id="label-4">DNS spoofing vulnerability in resolv.rb</a></h3><!-- RDLabel: "DNS spoofing vulnerability in resolv.rb" --><p>resolv.rb allow remote attackers to spoof DNS answers. This risk can be
|
|
278
|
+
reduced by randomness of DNS transaction IDs and source ports, so resolv.rb
|
|
279
|
+
is fixed to randomize them.</p><ul>
|
|
280
|
+
<li>see also: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447">CVE-2008-1447</a></li>
|
|
281
|
+
</ul><p>This vulnerability was reported by Tanaka Akira.</p><h2><a name="label-5" id="label-5">Vulnerable versions</a></h2><!-- RDLabel: "Vulnerable versions" --><dl>
|
|
282
|
+
<dt><a name="label-6" id="label-6">1.8 series</a></dt><!-- RDLabel: "1.8 series" -->
|
|
283
|
+
<dd>
|
|
284
|
+
<ul>
|
|
285
|
+
<li>1.8.5 and all prior versions</li>
|
|
286
|
+
<li>1.8.6-p286 and all prior versions</li>
|
|
287
|
+
<li>1.8.7-p71 and all prior versions</li>
|
|
288
|
+
</ul>
|
|
289
|
+
</dd>
|
|
290
|
+
<dt><a name="label-7" id="label-7">1.9 series</a></dt><!-- RDLabel: "1.9 series" -->
|
|
291
|
+
<dd>
|
|
292
|
+
<ul>
|
|
293
|
+
<li>r18423 and all prior revisions</li>
|
|
294
|
+
</ul>
|
|
295
|
+
</dd>
|
|
296
|
+
</dl><h2><a name="label-8" id="label-8">Solution</a></h2><!-- RDLabel: "Solution" --><dl>
|
|
297
|
+
<dt><a name="label-9" id="label-9">1.8 series</a></dt><!-- RDLabel: "1.8 series" -->
|
|
298
|
+
<dd>
|
|
299
|
+
Please upgrade to 1.8.6-p287, or 1.8.7-p72.
|
|
300
|
+
<ul>
|
|
301
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.gz">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.gz&gt;</a></li>
|
|
302
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz&gt;</a></li>
|
|
303
|
+
</ul>
|
|
304
|
+
</dd>
|
|
305
|
+
<dt><a name="label-10" id="label-10">1.9 series</a></dt><!-- RDLabel: "1.9 series" -->
|
|
306
|
+
<dd>
|
|
307
|
+
<p>Please check out the latest version using Subversion.</p>
|
|
308
|
+
<pre>$ svn co http://svn.ruby-lang.org/repos/ruby/trunk ruby</pre>
|
|
309
|
+
</dd>
|
|
310
|
+
</dl><p>Please note that a package that corrects this weakness may already be
|
|
311
|
+
available through your package management software.</p><h2><a name="label-11" id="label-11">Credit</a></h2><!-- RDLabel: "Credit" --><p>Credit to Keita Yamaguchi, Christian Neukirchen, sheepman, and Tanaka
|
|
312
|
+
Akira for disclosing these problems to Ruby Security Team.</p><h2><a name="label-12" id="label-12">Changes</a></h2><!-- RDLabel: "Changes" --><ul>
|
|
313
|
+
<li>2008-08-08 12:21 +09:00 fixed the revision number of ruby 1.9.</li>
|
|
314
|
+
<li>2008-08-11 11:23 +09:00 fixed the patchlevel of ruby 1.8. see <a href="http://www.ruby-lang.org/en/news/2008/08/11/ruby-1-8-7-p72-and-1-8-6-p287-released/">the release announcement of Ruby 1.8.7-p72 and 1.8.6-p287</a></li>
|
|
315
|
+
</ul></description>
|
|
316
|
+
<pubDate>Fri, 08 Aug 2008 02:59:49 GMT</pubDate>
|
|
317
|
+
<guid>http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/</guid>
|
|
318
|
+
<link>http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/</link>
|
|
319
|
+
</item>
|
|
320
|
+
|
|
321
|
+
<item>
|
|
322
|
+
<title>RubyConf 2008 Proposals Now Being Accepted</title>
|
|
323
|
+
<description><p><a href="http://www.rubyconf.org">RubyConf 2008</a> will be held in Orlando, Florida, <span class="caps">USA</span>, from November 6 to November 8.</p>
|
|
324
|
+
|
|
325
|
+
|
|
326
|
+
<p><a href="http://www.rubyconf.org/proposals/new">Proposals for presentations</a> are now begin accepted. All proposals must be received by August 21.</p> </description>
|
|
327
|
+
<pubDate>Mon, 04 Aug 2008 20:26:29 GMT</pubDate>
|
|
328
|
+
<guid>http://www.ruby-lang.org/en/news/2008/08/04/rubyconf-2008-proposals-now-being-accepted/</guid>
|
|
329
|
+
<link>http://www.ruby-lang.org/en/news/2008/08/04/rubyconf-2008-proposals-now-being-accepted/</link>
|
|
330
|
+
</item>
|
|
331
|
+
|
|
332
|
+
<item>
|
|
333
|
+
<title>Arbitrary code execution vulnerabilities</title>
|
|
334
|
+
<description><p>Multiple vulnerabilities in Ruby may lead to a denial of service (DoS)
|
|
335
|
+
condition or allow execution of arbitrary code.</p> <h2><a name="label-0" id="label-0">Impact</a></h2><!-- RDLabel: "Impact" --><p>With the following vulnerabilities, an attacker can lead to denial of
|
|
336
|
+
service condition or execute arbitrary code.</p><ul>
|
|
337
|
+
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662">CVE-2008-2662</a></li>
|
|
338
|
+
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663">CVE-2008-2663</a></li>
|
|
339
|
+
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725">CVE-2008-2725</a></li>
|
|
340
|
+
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726">CVE-2008-2726</a></li>
|
|
341
|
+
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664">CVE-2008-2664</a></li>
|
|
342
|
+
</ul><h2><a name="label-1" id="label-1">Vulnerable versions</a></h2><!-- RDLabel: "Vulnerable versions" --><dl>
|
|
343
|
+
<dt><a name="label-2" id="label-2">1.8 series</a></dt><!-- RDLabel: "1.8 series" -->
|
|
344
|
+
<dd>
|
|
345
|
+
<ul>
|
|
346
|
+
<li>1.8.4 and all prior versions</li>
|
|
347
|
+
<li>1.8.5-p230 and all prior versions</li>
|
|
348
|
+
<li>1.8.6-p229 and all prior versions</li>
|
|
349
|
+
<li>1.8.7-p21 and all prior versions</li>
|
|
350
|
+
</ul>
|
|
351
|
+
</dd>
|
|
352
|
+
<dt><a name="label-3" id="label-3">1.9 series</a></dt><!-- RDLabel: "1.9 series" -->
|
|
353
|
+
<dd>
|
|
354
|
+
<ul>
|
|
355
|
+
<li>1.9.0-1 and all prior versions</li>
|
|
356
|
+
</ul>
|
|
357
|
+
</dd>
|
|
358
|
+
</dl><h2><a name="label-4" id="label-4">Solution</a></h2><!-- RDLabel: "Solution" --><dl>
|
|
359
|
+
<dt><a name="label-5" id="label-5">1.8 series</a></dt><!-- RDLabel: "1.8 series" -->
|
|
360
|
+
<dd>
|
|
361
|
+
Please upgrade to 1.8.5-p231, or 1.8.6-p230, or 1.8.7-p22.
|
|
362
|
+
<ul>
|
|
363
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.tar.gz">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p231.tar.gz&gt;</a>
|
|
364
|
+
(md5sum: e900cf225d55414bffe878f00a85807c)</li>
|
|
365
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.gz">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.gz&gt;</a>
|
|
366
|
+
(md5sum: 5e8247e39be2dc3c1a755579c340857f)</li>
|
|
367
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.gz">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.gz&gt;</a>
|
|
368
|
+
(md5sum: fc3ede83a98f48d8cb6de2145f680ef2)</li>
|
|
369
|
+
</ul>
|
|
370
|
+
</dd>
|
|
371
|
+
<dt><a name="label-6" id="label-6">1.9 series</a></dt><!-- RDLabel: "1.9 series" -->
|
|
372
|
+
<dd>
|
|
373
|
+
Please upgrade to 1.9.0-2.
|
|
374
|
+
<ul>
|
|
375
|
+
<li><a href="ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.tar.gz">&lt;URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-2.tar.gz&gt;</a>
|
|
376
|
+
(md5sum: 2a848b81ed1d6393b88eec8aa6173b75)</li>
|
|
377
|
+
</ul>
|
|
378
|
+
</dd>
|
|
379
|
+
</dl><p>These versions also fix the vulnerability of WEBrick (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1891">CVE-2008-1891</a>).</p><p>Please note that a package that corrects this weakness may already be
|
|
380
|
+
available through your package management software.</p><h2><a name="label-7" id="label-7">Credit</a></h2><!-- RDLabel: "Credit" --><p>Credit to Drew Yao of Apple Product Security for disclosing the problem to Ruby
|
|
381
|
+
Security Team.</p><h2><a name="label-8" id="label-8">Changes</a></h2><!-- RDLabel: "Changes" --><ul>
|
|
382
|
+
<li>2008-06-21 00:29 +09:00 removed wrong CVE IDs (CVE-2008-2727, CVE-2008-2728).</li>
|
|
383
|
+
</ul></description>
|
|
384
|
+
<pubDate>Fri, 20 Jun 2008 12:54:43 GMT</pubDate>
|
|
385
|
+
<guid>http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/</guid>
|
|
386
|
+
<link>http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/</link>
|
|
387
|
+
</item>
|
|
388
|
+
|
|
389
|
+
|
|
390
|
+
</channel>
|
|
391
|
+
</rss>
|