"open source language" doesn't quite compute here.

Is it an open source language compiler (/interpreter) that you refer to, or a publicly documented language ?

I suspect the first, as vulnerabilities match better to actual software than language features, but you never know :) (Actually i'm not really sure the latter makes even sense here since, isn't every programming language "exploitable" in at least a thousand ways, thus it were not a story...)

Yes, every language has errors in it that make it exploitable.

Here, the exploits can be carried out with crafted user input from applications developed with the language.

I've nothing against Ruby on Rails, but I'm sure that were this a similar issue with ASP.NET the pitchforks would already be being sharpened and the brands lit for an ol' style mob storming of the barricades.... :-)

Here's another (welcome) nail in the coffin of the only framework really "worthy" of Web 2.0. And you know what I mean by worthy. It doesn't scale, its developers are all primadonnas who don't understand what "scale" even means, there's no formal language spec, and now this lousy bit of implementation right in the heart of Ruby. I wish the JAVA ticker symbol actually represented Java, cause I'd be buying some right now.

The details are under some kind of embargo at the moment, so it's impossible

to do anything about the problem other than install their patches...

Philosophy aside however, the patches are to the interpreter so I guess that's

where the problem lies. Your point about the spec is facetious since Ruby is

specified by its implementation rather than having a laid down formal grammar.

"The flaws were discovered by Drew Yao of Apple Product Security."

Apple has a product security department????

One of the major concerns I had about Rails was the utter lack of security support at the framework level. It wouldn't surprise me if most apps out there have tons of holes simply because there is no standard way of securing them. But vulnerabilities at the language level - ouch!

"specified by its implementation rather than having a laid down formal grammar"

I think that was rather his point. Yes, that does indeed mean that he seriously dislikes the design philosophy Ruby is based on.

From Fedora's SRPMS dir you can download ruby-1.8.6.230-1.fc10.src.rpm, and the following comment is in ruby.spec:

%changelog

* Tue Jun 24 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.230-1

- New upstream release.

- Security fixes. (#452295)

- CVE-2008-1891: WEBrick CGI source disclosure.

- CVE-2008-2662: Integer overflow in rb_str_buf_append().

- CVE-2008-2663: Integer overflow in rb_ary_store().

- CVE-2008-2664: Unsafe use of alloca in rb_str_format().

- CVE-2008-2725: Integer overflow in rb_ary_splice().

- CVE-2008-2726: Integer overflow in rb_ary_splice().

- ruby-1.8.6.111-CVE-2007-5162.patch: removed.

- Build ruby-mode package for all archtectures.

You can also read http://svn.ruby-lang.org/repos/ruby/tags/v1_8_6_230/ChangeLog - search for "CVE" and "overflow".

AC: Have you ever used it? I bet you are a Java programmer.

Pavel - do you actually have any evidence? There's a lot of security built in, and, if you follow the standard guidelines, you can avoid stuff like SQL and Javascript injections out of the box, plus Rails 2 has had session management improved to avoid man in the middle attacks.

What are you talking about? Where is your evidence??

Or are you just anti because it's suddenly become cool to be anti?

This doesn't have to mean "the language is licensed under an open source license" - he could simply mean a language commonly employed in open-source projects rather than closed source apps.

@chuBb - too funny =D

Yes, Frank, I've used Ruby. If I remember right, my last job was CTO at a company whose entire product is built on Rails. So, you lose the bet. You can pay up by giving DHH a handjob for me.

nnyeees... We're making it up as we go along?

Just to make life interesting - the "fixed" 1.8.6p230 introduces bugs which cause Rails 2.0.2 to crash, either with errors like "wrong argument type FalseClass (expected Proc)" or good old-fashioned segfaults.

http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities

You know, if the Ruby interpreter had been re-implemented in Ruby, there wouldn't be a problem...

Ruby is "specified by its implementation"?

Uhh, then why did they fix this bug?