BigDecimal Vulnerability in Ruby 1.8.6 and 1.8.7

Yesterday, the first security vulnerability since Engine Yard took over maintenance of Ruby 1.8.6 was reported. It is a Denial of Service vulnerability in BigDecimal, by which an attacker can cause a segmentation fault by providing a very large number as input. ActiveRecord relies on BigDecimal, but this is not Rails specific.

Today, as part of our maintainer role for 1.8.6, we published a fix as part of Ruby 1.8.6 patch-level 369 and as a part of Ruby 1.8.7 patch-level 173.

The issue was initially discovered and fixed in the Ruby 1.9.1 trunk. We backported the fix to 1.8.6 by writing a test, watching it fail, then making it pass (the same way we always do). As part of our test-driven approach, Kirk Haines then added a test in RubySpec to test for the condition. We ran the test suite on OSX, RedHat Enterprise 3, CentOS 4, 32 and 64 bit Engine Yard Solo instances, and an Engine Yard Slice to verify the fix.

Engine Yard customers have been notified about the vulnerability via email with instructions on how to upgrade. Engine Yard Solo customers can get the new, patched version of Ruby 1.8.6 simply by redeploying their environments. In the future, new Engine Yard deployments will automatically get the new version.