Hongli Lai wrote:
> Now that you mention it, Keita Yamaguchi sent me an eval.c security 
> patch a while back. Upon closer inspection it seems that this patch is 
> not included in the FreeBSD patch set, and neither is bignum.c.
The analysis Zed Shaw described in his blog was based on reviewing all 
the changes made this month. Although this is more time consuming, it 
also seems like the most methodical way of making sure we catch all the 
relevant changes.

> I've made an updated patch set:
> http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
Excellent, thank you.

> Was file.c vulnerable? I see a number of Windows fixes for file.c, but 
> it's not immediately clear whether the changes also include security 
> fixes.
If I recall correctly, a blog post (which I can't find at the moment) 
suggested that some of this addressed general buffer overflow issues and 
Windows-specific traversal attacks. So these may be worth considering.

-igal
-- 
Posted via http://www.ruby-forum.com/.