M. Edward (Ed) Borasky wrote:
> Igal Koshevoy wrote:
>> Federico Builes wrote:
>>> I'm not sure how's the situation with most of these libraries but I 
>>> was responsible for the REXML specs so let me chime in. P111 had a 
>>> _really_ buggy REXML revision with several typos/small bugs that 
>>> were (mostly) fixed in P114 so that might be a better target for 
>>> compatibility (for that library at least).
>> I'm glad you mentioned this. When I was talking about using a stable 
>> p111, I mean the copy shipped with Ubuntu that's got 11 patches 
>> applied to it, including the REXML fixes. It would be a worthwhile 
>> effort to figure out what patches the various distros are using, 
>> making sure they're providing a complete solution, and also ensuring 
>> that we're incorporating these into the other solutions we've been 
>> throwing around.
>>
>> Here's what some vendors are doing:
>>
>> FreeBSD ports patches the vulnerability against p111:
>>    http://www.freebsd.org/cgi/cvsweb.cgi/ports/lang/ruby18/files/
>>
>> Ubuntu 7.10 patches the vulnerability against p36:
>>    
>> https://launchpad.net/ubuntu/gutsy/+source/ruby1.8/1.8.6.36-1ubuntu3.2/+files/ruby1.8_1.8.6.36-1ubuntu3.2.diff.gz 
>>
>>
>> Ubuntu 8.04 patches the vulnerability against p111:
>>     
>> https://launchpad.net/ubuntu/hardy/+source/ruby1.8/1.8.6.111-2ubuntu1.1/+files/ruby1.8_1.8.6.111-2ubuntu1.1.diff.gz 
>>
>> because.
>> Fedora 9 patches the vulnerability against p230:
>>    
>> http://download.fedora.redhat.com/pub/fedora/linux/updates/9/SRPMS/ruby-1.8.6.230-2.fc9.src.rpm 
>>
>>
>> RedHat Enterprise Linux 5.1, their latest, uses 1.8.5 and is vulnerable:
>>    
>> http://install.linux.duke.edu/pub/linux/updates/centos-5.1/SRPMS/ruby-1.8.5-5.el5_1.1.src.rpm 
>>
>>
>> -igal
>>
>>
> Gentoo is using 1.8.6-p114 with two patches:
>
>>>>> Emerging (1 of 1) dev-lang/ruby-1.8.6_p114 to /
>>  * ruby-1.8.6-p114.tar.bz2 RMD160 SHA1 SHA256 size ;-) 
>> ...                [ ok ]
>>  * checking ebuild checksums ;-) 
>> ...                                      [ ok ]
>>  * checking auxfile checksums ;-) 
>> ...                                     [ ok ]
>>  * checking miscfile checksums ;-) 
>> ...                                    [ ok ]
>>  * checking ruby-1.8.6-p114.tar.bz2 ;-) 
>> ...                               [ ok ]
>>>>> Unpacking source...
>>>>> Unpacking ruby-1.8.6-p114.tar.bz2 to 
>>>>> /var/tmp/portage/dev-lang/ruby-1.8.6_p114/work
>>  * Applying ruby-1.8.6-memory-leak.diff 
>> ...                               [ ok ]
>>  * Applying ruby-1.8.6_p111-r13657.patch 
>> ...                              [ ok ]
>
> Incidentally, Ruby 1.8.7 is in the Portage tree, but it's masked.
>
>
Thanks for the info, Ed.

Providing support and patches for 1.8.5 may be necessary. The latest 
releases of RedHat Enterprise Linux, Debian Etch (AKA "4" or "stable"), 
SUSE, and possibly others are still shipping 1.8.5 and will be 
frustrated by the abrupt termination of updates.

-igal