Multiple vulnerabilities in Ruby

I hate to be a nag, but this package is in main, and it's been a month, and well, the SABDFL seems to think Ubuntu has a good track record with security fixes...

"Well we have a better security track record than Red Hat, we do that by focusing very hard on security, making sure the updates are available as fast as possible on Ubuntu, independent studies have generally ranked Ubuntu number one."

http://derstandard.at/?url=/?id=3413801
http://lwn.net/Articles/290156/

Any chance it can get fixed?

Thanks for the ping. We are working on it, but other updates have taken priority over Ruby. The open Ruby vulnerabilities are mostly denial-of-service or untrusted local script issues, which have traditionally been low priority.

This bug was fixed in the package ruby1.8 - 1.8.6.111-2ubuntu1.2

---------------
ruby1.8 (1.8.6.111-2ubuntu1.2) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/102_CVE-2008-3790.dpatch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/103_CVE-2008-2376.dpatch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/104_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/105_CVE-2008-3656.dpatch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/106_CVE-2008-3905.dpatch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/107_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/108_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655

 -- Jamie Strandboge <email address hidden> Tue, 07 Oct 2008 13:34:00 -0500

This bug was fixed in the package ruby1.8 - 1.8.6.36-1ubuntu3.3

---------------
ruby1.8 (1.8.6.36-1ubuntu3.3) gutsy-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655

 -- Jamie Strandboge <email address hidden> Thu, 09 Oct 2008 08:47:35 -0500

This bug was fixed in the package ruby1.8 - 1.8.5-4ubuntu2.3

---------------
ruby1.8 (1.8.5-4ubuntu2.3) feisty-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/953_CVE-2008-3790.patch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/954_CVE-2008-2376.patch: adjust array.c to properly
      check argument length
    - CVE-2008-2376
  * SECURITY UPDATE: denial of service via multiple long requests to a Ruby
    socket
    - debian/patches/955_CVE-2008-3443.patch: adjust regex.c to not use ruby
      managed memory and check for allocation failures
    - CVE-2008-3443
  * SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
    - debian/patches/956_CVE-2008-3656.patch: update webrick/httputils.rb to
      properly check paths ending with '.'
    - CVE-2008-3656
  * SECURITY UPDATE: predictable transaction id and source port for DNS
    requests (separate vulnerability from CVE-2008-1447)
    - debian/patches/957_CVE-2008-3905.patch: adjust resolv.rb to use
      SecureRandom for transaction id and source port
    - CVE-2008-3905
  * SECURITY UPDATE: safe level bypass via DL.dlopen
    - debian/patches/958_CVE-2008-3657.patch: adjust rb_str_to_ptr and
      rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
      propogate taint and check taintness of DLPtrData
    - CVE-2008-3657
  * SECURITY UPDATE: safe level bypass via multiple vectors
    - debian/patches/959_CVE-2008-3655.patch: use rb_secure(4) in variable.c
      and syslog.c, check for secure level 3 or higher in eval.c and make
      sure PROGRAM_NAME can't be modified
    - CVE-2008-3655

 -- Jamie Strandboge <email address hidden> Thu, 09 Oct 2008 09:28:03 -0500

http://www.ubuntu.com/usn/usn-651-1

Requested sync from Debian to 1.9.0.2-7 for Intrepid. See bug #281456.

Fixed via sync request in https://bugs.launchpad.net/ubuntu/+source/ruby1.9/+bug/281456

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.