|
| 1 | +--- |
| 2 | +layout: page |
| 3 | +title: Security |
| 4 | +--- |
| 5 | + |
| 6 | +Here you will find information about security issues of Ruby. |
| 7 | + |
| 8 | +## <a name="label-0" id="label-0">Reporting Security Vulnerabilities</a> |
| 9 | + |
| 10 | +<!-- RDLabel: "Reporting Security Vulnerabilities" --> |
| 11 | + |
| 12 | +Security vulnerabilities should be reported via an email to |
| 13 | +[email protected] ( [the PGP public key ](/security.asc)), which is a |
| 14 | +private mailing list. Reported problems will be published after fixes. |
| 15 | + |
| 16 | +## <a name="label-1" id="label-1">Known issues</a> |
| 17 | + |
| 18 | +<!-- RDLabel: "Known issues" --> |
| 19 | + |
| 20 | +Here are recent issues. |
| 21 | + |
| 22 | +* [Exception methods can bypass $SAFE][1] published at 18 Feb, 2011. |
| 23 | +* [FileUtils is vulnerable to symlink race attacks][2] published at 18 |
| 24 | + Feb, 2011. |
| 25 | +* [XSS in WEBrick (CVE-2010-0541)][3] published at 16 Aug, 2010. |
| 26 | +* [Buffer over-run in ARGF.inplace\_mode=][4] published at 2 Jul, 2010. |
| 27 | +* [WEBrick has an Escape Sequence Injection vulnerability][5] published |
| 28 | + at 10 Jan, 2010 |
| 29 | +* [Heap overflow in String][6] published at 7 Dec, 2009 |
| 30 | +* [DoS vulnerability in |
| 31 | + REXML](/en/news/2008/08/23/dos-vulnerability-in-rexml/) published at |
| 32 | + 23 Aug, 2008 |
| 33 | +* [Multiple vulnerabilities in |
| 34 | + Ruby](/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/) published |
| 35 | + at 8 Aug, 2008 |
| 36 | +* [Arbitrary code execution |
| 37 | + vulnerabilities](/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/) |
| 38 | + published at 20 Jun, 2008 |
| 39 | +* [File access vulnerability of |
| 40 | + WEBrick](/en/news/2008/03/03/webrick-file-access-vulnerability/) |
| 41 | + published at 3 Mar, 2008 |
| 42 | +* [Net::HTTPS |
| 43 | + Vulnerability](/en/news/2007/10/04/net-https-vulnerability/) published |
| 44 | + at 4 Oct, 2007 |
| 45 | +* [Another DoS Vulnerability in CGI |
| 46 | + Library](/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/) |
| 47 | + published at 4 Dec, 2006 |
| 48 | +* [DoS Vulnerability in CGI Library](/en/news/2006/11/03/CVE-2006-5467/) |
| 49 | + published at 3 Nov, 2006 |
| 50 | +* [Ruby vulnerability in the safe level |
| 51 | + settings](/en/news/2005/10/03/ruby-vulnerability-in-the-safe-level-settings/) |
| 52 | + published at 2 Oct, 2005 |
| 53 | + |
| 54 | +[1]: http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/ |
| 55 | +[2]: http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/ |
| 56 | +[3]: http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/ |
| 57 | +[4]: http://www.ruby-lang.org/en/news/2010/07/02/ruby-1-9-1-p429-is-released/ |
| 58 | +[5]: http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection// |
| 59 | +[6]: http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/ |
0 commit comments