if you use a java servlet engine (tomcat, jetty, etc) a similar "bug" in java makes your application still vulnerable !!! for a in depth explanation of the actual thing see:
http://youtu.be/R2Cq3CLI6H8 regards, Kristian On Wed, Jan 4, 2012 at 7:38 AM, Hiroshi Nakamura <n...@ruby-lang.org> wrote: > (2011/12/29 11:44), botp wrote: >> On Wed, Dec 28, 2011 at 7:51 AM, Thomas E Enebo <tom.en...@gmail.com> wrote: >>>> JRuby 1.6.5.1 is a special release with a single patch applied to our >>>> JRuby 1.6.5 source to correct CERT vulnerability CERT-2011-003 >>>> (http://www.ocert.org/advisories/ocert-2011-003.html). All users are >>>> recommended to upgrade to JRuby 1.6.5.1 to get this security fix. >> >> if i run (the older) jruby w the -1.9 option, would i still be affected? > > Yes, jruby <= 1.6.5 uses sdbm Hash (good old CRuby 1.8's hash function) > both in 1.8/1.9 mode. Please upgrade to 1.6.5.1 which uses MurmurHash2 > like CRuby 1.9 (both in 1.8/1.9) > > If you can't upgrade, try to apply the patch for jruby 1.6 series[1]. > If you can't apply the patch, you might be able to get help of the > latest Rack release[2]. If you're using WEBrick for production by > accident, here's an experimental patch[3]. > > [1] https://github.com/jruby/jruby/compare/9dcd3885...2f607d21 > [2] https://groups.google.com/forum/#!topic/rack-devel/Gk74wz5GH_4 > [3] https://github.com/nahi/webrick/compare/0daf82f1...ruby_1_8_7 > > Best regards, > // NaHi > --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email
