We have released 1.9.2-p330, the final release of the 1.9.2 series.
Soon after announcing theEnd of Life for 1.9.2 (and 1.8.7),a critical security regression was found in 1.9.2.
This bug occurs when parsing a long string is using the URI methoddecode_www_form_component
. This can be reproduced by running the followingon vulnerable Rubies:
ruby -v -ruri -e'URI.decode_www_form_component "A string that causes catastrophic backtracking as it gets longer %"'
Since it was found and patched just before the release of 1.9.3, versions ofRuby 1.9.3-p0 and later are not affected; however versions of Ruby 1.9.2older than 1.9.2-p330 are affected.
You can read the original report on the bug tracker:https://bugs.ruby-lang.org/issues/5149#note-4
Download
http://cache.ruby-lang.org/pub/ruby/ruby-1.9.2-p330.tar.bz2
SIZE: 9081661 bytesMD5: 8ba4aaf707023e76f80fc8f455c99858SHA256: 6d3487ea8a86ad0fa78a8535078ff3c7a91ca9f99eff0a6a08e66c6e6bf2040f
http://cache.ruby-lang.org/pub/ruby/ruby-1.9.2-p330.tar.gz
SIZE: 11416473 bytesMD5: 4b9330730491f96b402adc4a561e859aSHA256: 23ef45fdaecc5d6c7b4e9e2d51b23817fc6aa8225a20f123f7fa98760e8b5ca9
http://cache.ruby-lang.org/pub/ruby/ruby-1.9.2-p330.zip
SIZE: 12732739 bytesMD5: 42d261b28d1b7e500dd3bdbdbfba7fa5SHA256: 7a04a028564de7f2ad09f26c8d57fd40fe2b0a6a0e1d9ff7205010ca6e70cea6
We encourage you to upgrade to a stable and maintainedversion of Ruby.
Posted by zzak and hone on 19 Aug 2014