On Wed, Mar 12, 2008 at 07:36:54AM +0900, Urabe Shyouhei wrote:
> Hi,
> 
> Jos Backus wrote:
>> /etc/passwd is shown (=bad). This means that e.g. ruby-1.8.5-p115 is still
>> vulnerable on UNIX.
>>   
> 
> 
> First of all, thank you very much for reporting this.  We will fix this 
> issue as soon as possible.
> 
> But your posting this sensitive info on a public mailing list cased a bit 
> worrying situation where all existing WEBrick servers
> are now facing a threat of attacks.  Next time would you please send us 
> security considerations for security / ruby-lang.org?
> 
> To people running WEBrick servers:  we are now analyzing this issue.  This 
> is my personal opinion but it is safer for you to stop your processes (if 
> possible) until we fix this.  Please stay tuned for upcoming announces.

I'm so sorry. It's a false alarm. The reason we were confused was because a
colleague brought the directory traversal bug in our web application to our
attention. Doing some googling I found the recently fixed bug in Webrick,
thinking there had to be another issue at hand, hence the email. Further
inspection of our setup revealed that we are running a vulnerable version of
Mongrel, not Webrick. We used to run Webrick for this app which explains why I
was thinking the problem was with Webrick.

In short, it's a (since fixed) Mongrel issue, Webrick is _not_ vulnerable. My
sincere apologies for the false alarm. Thank you for your quick response and
caring.

-- 
Jos Backus
jos at catnook.com