Created
November 23, 2013 21:39
-
-
Save kkuchta/7620293 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
You are receiving this email because you run at least one Ruby (MRI) application on Heroku. | |
Early this morning, the Ruby project announced a security vulnerability in MRI 1.8.7, 1.9.2, 1.9.3, 2.0.0. The CVE identifier is CVE-2013-4164. Rubinius and JRuby are unaffected. | |
We believe this is limited to a denial of service vulnerability. Any Ruby application that parses JSON from an untrusted source can potentially be made to crash with little difficulty. There is also a slim theoretical possibility of a much more serious vulnerability, an Arbitrary Code Execution. We would like to stress that there are no known Proofs of Concept and this is purely theoretical, but can not be ruled out. | |
In response, we have released Ruby 1.8.7p375, 1.9.2p321, 1.9.3p484 and 2.0.0p353 which closes this attack vulnerability. Please upgrade as soon as possible. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment