Federico Builes wrote:
> I'm not sure how's the situation with most of these libraries but I 
> was responsible for the REXML specs so let me chime in. P111 had a 
> _really_ buggy REXML revision with several typos/small bugs that were 
> (mostly) fixed in P114 so that might be a better target for 
> compatibility (for that library at least).
I'm glad you mentioned this. When I was talking about using a stable 
p111, I mean the copy shipped with Ubuntu that's got 11 patches applied 
to it, including the REXML fixes. It would be a worthwhile effort to 
figure out what patches the various distros are using, making sure 
they're providing a complete solution, and also ensuring that we're 
incorporating these into the other solutions we've been throwing around.

Here's what some vendors are doing:

FreeBSD ports patches the vulnerability against p111:
    http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/

Ubuntu 7.10 patches the vulnerability against p36:
    
https://launchpad.net/ubuntu/gutsy/+source/ruby1.8/1.8.6.36-1ubuntu3.2/+files/ruby1.8_1.8.6.36-1ubuntu3.2.diff.gz

Ubuntu 8.04 patches the vulnerability against p111:
     
https://launchpad.net/ubuntu/hardy/+source/ruby1.8/1.8.6.111-2ubuntu1.1/+files/ruby1.8_1.8.6.111-2ubuntu1.1.diff.gz

Fedora 9 patches the vulnerability against p230:
    
http://download.fedora.redhat.com/pub/fedora/linux/updates/9/SRPMS/ruby-1.8.6.230-2.fc9.src.rpm

RedHat Enterprise Linux 5.1, their latest, uses 1.8.5 and is vulnerable:
    
http://install.linux.duke.edu/pub/linux/updates/centos-5.1/SRPMS/ruby-1.8.5-5.el5_1.1.src.rpm

-igal