Igal Koshevoy wrote:
> For the sake of protecting Ruby's good image, I believe it's necessary
> to ship an *official* version that's compatible and addresses these
> vulnerabilities as soon as possible. After that's shipped, resolving
> the matter with the API changes in the current code will likely be a
> priority. If there's anything that we in the Ruby community can help
> you with, please ask. :)

Yes.  Please write a patch :)

I know your concerns.  I know you all need a stable Ruby, rather than a
beautifully working Ruby.  Actually that's why I'm still maintaining
1.8.6.  And sorry again for its unexpectedly unstable.

But honestly I'm doubtful for urgency of current situation.  If things
are that dangerous someone might be writing patches, like some people
did for p230.  I think p230 was dangerous enough.  But now that fixes
are made,  it seems it's less urgent.  I think we should wait for fixes
made into 1.8.6, rather than reverting to p114 + a security fix.  If you
can't wait please fix it by yourself; we are very grateful to merge that
into our repository.  In other words,  I think it's not that urgent
because no one seems to trying to fix those APIs.

Anyway, p238 source code can be downloaded via
http://svn.ruby-lang.org/repos/ruby/tags/v1_8_6_238