We have released 1.9.2-p330, the final release of the 1.9.2 series.

Soon after announcing the End of Life for 1.9.2 (and 1.8.7), a critical security regression was found in 1.9.2.

This bug occurs when parsing a long string is using the URI method decode_www_form_component. This can be reproduced by running the following on vulnerable rubies:

ruby -v -ruri -e'URI.decode_www_form_component "A string that causes catastrophic backtracking as it gets longer %"'

Since it was found and patched just before the release of 1.9.3, versions of Ruby 1.9.3-p0 and later are not affected; however versions of Ruby 1.9.2 older than 1.9.2-p330 are affected.

You can read the original report on the bug tracker: https://bugs.ruby-lang.org/issues/5149#note-4


We encourage you to upgrade to a stable and maintained version of Ruby.

Posted by zzak and hone on 19 Aug 2014

Read more at the source