There is a severe vulnerability in OpenSSL’s implementation of the TLS/DTLS
(transport layer security protocols) heartbeat extension (RFC6520).
This a serious vulnerability which has been assigned the CVE identifier
CVE-2014-0160.

Exploitation may lead to disclosure of memory contents from the server to the
client and from the client to the server. An attacker can remotely retrieve
sensitive data from memory, including, but not limited to secret keys used for
SSL encryption and authentication tokens.

For more information on the attacks see heartbleed.com.

How is Ruby affected?

Ruby is affected when statically compiled against a vulnerable version of
OpenSSL through the standard library OpenSSL C extension.

OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable to this
attack. To verify which version of the OpenSSL library you link to Ruby,
use the following:

ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'

To verify the version of OpenSSL currently installed with Ruby,
use the following:

ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

You can verify if your client software or a running service are vulnerable
by using emboss’s script.

Solutions

To upgrade to the latest version of OpenSSL version 1.0.1g or newer,
you should check with your current operating system package manager to ensure
they provide an up-to-date OpenSSL. You may need to consult with your
operating system distributor to verify their version of OpenSSL is patched,
regardless of the version number available.

If upgrade is not an option, recompile a patched OpenSSL with the
option -DOPENSSL_NO_HEARTBEATS at build time.

With an upgraded OpenSSL, it’s recommended to recompile Ruby to ensure
there are no links to a vulnerable version of OpenSSL.

This means updating any tools used to build Ruby such as RVM or ruby-build.
If you build Ruby yourself, use the --with-openssl-dir option at
compile time to link an upgraded OpenSSL install directory.

$ ./configure --with-openssl-dir=/path/to/openssl
$ make
$ make install

After upgrading OpenSSL and Ruby, it’s important to restart all programs
using the vulnerable version.

Many operating system distributions already provide (or will soon be
providing) patched versions and rebuilt packages for libraries vulnerable to
this attack. It’s important to monitor your operating system distributor to
ensure you remain secure.

Posted by hone and zzak on 10 Apr 2014

Read more at the source