(2011/12/29 11:44), botp wrote: > On Wed, Dec 28, 2011 at 7:51 AM, Thomas E Enebo <tom.en...@gmail.com> wrote: >>> JRuby 1.6.5.1 is a special release with a single patch applied to our >>> JRuby 1.6.5 source to correct CERT vulnerability CERT-2011-003 >>> (http://www.ocert.org/advisories/ocert-2011-003.html). All users are >>> recommended to upgrade to JRuby 1.6.5.1 to get this security fix. > > if i run (the older) jruby w the -1.9 option, would i still be affected?
Yes, jruby <= 1.6.5 uses sdbm Hash (good old CRuby 1.8's hash function) both in 1.8/1.9 mode. Please upgrade to 1.6.5.1 which uses MurmurHash2 like CRuby 1.9 (both in 1.8/1.9) If you can't upgrade, try to apply the patch for jruby 1.6 series[1]. If you can't apply the patch, you might be able to get help of the latest Rack release[2]. If you're using WEBrick for production by accident, here's an experimental patch[3]. [1] https://github.com/jruby/jruby/compare/9dcd3885...2f607d21 [2] https://groups.google.com/forum/#!topic/rack-devel/Gk74wz5GH_4 [3] https://github.com/nahi/webrick/compare/0daf82f1...ruby_1_8_7 Best regards, // NaHi
signature.asc
Description: OpenPGP digital signature
