Thursday, May 16, 2013

Security fix for Ruby 1.9 applications

A new Ruby version was released recently to address a security issue.  There is a vulnerability in DL and Fiddle in Ruby where tainted strings can be used by system calls regardless of the $SAFE level set in Ruby.

We want to let BitNami users know that most popular Rails-based application installers, virtual machines and cloud images have been already updated and released to include a fixed Ruby version. We continue working on upgrading all of them for all platforms.

Ruby stack, Redmine, GitLab, Discourse, Tracks and Spree with Ruby version 1.9.3-p429 have been already released.

We have also taken this chance to upgrade several core components to their latest version, which we were already were in the process of releasing:
  • Apache version 2.4.4
  • Passenger version 4.0.2 
  • phpMyAdmin version 4.0.0
  • Perl version 5.16.3
  • Mod_perl version 2.0.8 for Apache 2.4.4

We updated Ruby-based stacks for Linux and OS X platforms. We will update the Windows-based stacks soon. If you already have installed a version of these applications please make sure that you update your environment or apply the appropriate patch.