A vulnerability was found in Ruby’s BigDecimal stdlib. That enables
attackers
to cause ruby process segfault. This release is to fix that issue. For
a
detailed info on the vulnerability please refer:
    This was caught by the rubyspecs and is not broken in the release of
ruby-1.8.6_p369.
Yes, I know that much from talking to Kirk… but I’m confused why
there would be a breakage in any of the other versions if everyone’s
running RubySpecs.
On Thu, Jun 11, 2009 at 1:11 AM, Yukihiro M.[email protected]
wrote:
It was me introduced a bug. Â I neglect to run the test this time.
Unfortunately, 1.9 maintainers seemed to trust me, who they shouldn’t
trust. Â I hope we could learn something from this experience.
I have just committed all the fixes (from 1.9) to 1.8 HEAD.
I know how that is, and I sympathize. Good thing Ruby has a great
community to catch us when we stumble
Let me know if there’s any way I can help ruby-core devs include
rubyspecs in day-to-day development. They only take about a minute to
run.
In message “Re: Ruby 1.8.7-p173 released”
on Thu, 11 Jun 2009 07:17:02 +0900, Charles Oliver N. [email protected] writes:
|Why was this not caught in the original fix? I thought the ruby-core
|folks were running RubySpecs now…
It was me introduced a bug. I neglect to run the test this time.
Unfortunately, 1.9 maintainers seemed to trust me, who they shouldn’t
trust. I hope we could learn something from this experience.
I have just committed all the fixes (from 1.9) to 1.8 HEAD.
