Drew Yao at Apple uncovered a handful of nasty security vulnerabilities affecting all current versions of Ruby. The details are still under wraps because an attacker can DoS you or possibly execute arbitrary code — holy crap! Better upgrade sooner than later.
According to the official Ruby security advisory, the vulnerable Rubies are:
- 1.8.4 and earlier
- 1.8.5-p230 and earlier
- 1.8.6-p229 and earlier
- 1.8.7-p21 and earlier
Those of us running Ruby 1.8.4 or earlier must upgrade to 1.8.5 or later for a fix. Those on 1.8.5-7 can grab the latest patchlevel release for a fix.
(Please note: Ruby 1.8.7 breaks backward compatibility and is only compatible with Rails 2.1 and later, so don’t go overboard!)