Federico Builes wrote: > I'm not sure how's the situation with most of these libraries but I > was responsible for the REXML specs so let me chime in. P111 had a > _really_ buggy REXML revision with several typos/small bugs that were > (mostly) fixed in P114 so that might be a better target for > compatibility (for that library at least). I'm glad you mentioned this. When I was talking about using a stable p111, I mean the copy shipped with Ubuntu that's got 11 patches applied to it, including the REXML fixes. It would be a worthwhile effort to figure out what patches the various distros are using, making sure they're providing a complete solution, and also ensuring that we're incorporating these into the other solutions we've been throwing around. Here's what some vendors are doing: FreeBSD ports patches the vulnerability against p111: http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/ Ubuntu 7.10 patches the vulnerability against p36: https://launchpad.net/ubuntu/gutsy/+source/ruby1.8/1.8.6.36-1ubuntu3.2/+files/ruby1.8_1.8.6.36-1ubuntu3.2.diff.gz Ubuntu 8.04 patches the vulnerability against p111: https://launchpad.net/ubuntu/hardy/+source/ruby1.8/1.8.6.111-2ubuntu1.1/+files/ruby1.8_1.8.6.111-2ubuntu1.1.diff.gz Fedora 9 patches the vulnerability against p230: http://download.fedora.redhat.com/pub/fedora/linux/updates/9/SRPMS/ruby-1.8.6.230-2.fc9.src.rpm RedHat Enterprise Linux 5.1, their latest, uses 1.8.5 and is vulnerable: http://install.linux.duke.edu/pub/linux/updates/centos-5.1/SRPMS/ruby-1.8.5-5.el5_1.1.src.rpm -igal