...which further proves my point that Ruby is a bad, bad platform choice for production applications right now. You just can't have this level of insecurity, sloppiness, and unresponsiveness among the developers in a platform you would use for serious applications. Maybe one day Ruby, Rails, et al. will be ready for prime time, but it's just not now, IMO.<p>update: by Ruby I mean the standard Matz codebase.
"Ruby Enterprise Edition" has a copy of the relevant patch here: <a href="http://blog.phusion.nl/assets/r8ee-security-patch-20080623.txt" rel="nofollow">http://blog.phusion.nl/assets/r8ee-security-patch-20080623.t...</a><p>[from a quick skim of the patch:] The changes to array.c and string.c look pretty worrying, seems like there are unchecked error conditions that aren't too hard to exploit, possibly allowing buffer overflows in String.... e.g. any code where the attacker could specify the right-hand-side argument to the in-place string concatenation operators (String#concat and String#<<) may be affected. Most string concatenations probably aren't in-place (using String#+ instead), but there's probably at least a handful of in-place string concats in popular packages like Rails.
The "Ruby Enterprise Edition" team has backported their patches too.<p>Watch out if you have a non-standard directory though. For some strange reason --with-prefix= didn't work for me and I had to manually change the prefix in the configure script.