02 Feb '13, 9pm

YAML's security woes are way bigger than Rails or Ruby. The spec allows markup to specify any complex data type.

This document reflects the third version of YAML data serialization language. The content of the specification was arrived at by consensus of its authors and through user feedback on the yaml-core mailing list. We encourage implementers to please update their software with support for this version. The primary objective of this revision is to bring YAML into compliance with JSON as an official subset. YAML 1.2 is compatible with 1.1 for most practical applications - this is a minor revision. An expected source of incompatibility with prior versions of YAML, especially the syck implementation, is the change in implicit typing rules. We have removed unique implicit typing rules and have updated these rules to align them with JSON's productions. In this version of YAML, boolean values may be serialized as “true ” or “false ”; the empty scalar as “null ”. Unquoted numeric valu...

Full article: http://www.yaml.org/spec/1.2/spec.html

Tweets

#Vulnerabilities Ruby on Rails JSON Processor Y...

net-security.org 03 Feb '13, 7am

Cisco shows the global picture of information security Posted on 31 January 2013. | Cisco released findings from two globa...

For those concerned about @padrinorb in the lig...

padrinorb.com 04 Feb '13, 4pm

Rails and the Ruby community had their fair share of security vulnerabilities in the recent days. Where does that leave Pa...

[remote] - Ruby on Rails JSON Processor YAML De...

exploit-db.com 29 Jan '13, 3pm

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Ple...

Ma (rapide) présentation d'hier sur la vuln' YA...

speakerdeck.com 06 Feb '13, 10am

Quick presentation on the YAML vuln and the impact on a Rails application.

Anatomy of an Exploit: An In-depth Look at the Rails YAML Vulnerability

Anatomy of an Exploit: An In-depth Look at the ...

rubysource.com 04 Feb '13, 2pm

Exploits happens, and this month the Rails and Ruby communities have seen no shortage. From a major exploit in Rails to a ...

Ruby on Rails JSON Processor YAML Deserializati...

packetstormsecurity.com 29 Jan '13, 4pm

This Metasploit module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails a...

Top Ruby Article: XML-YAML-parsing security fix...

rubyglasses.blogspot.com 27 Jan '13, 3am

Earlier I mentioned the Serious Rails vulnerability that affects all versions of Rails for the last six years. A fix has b...

#Vulnerabilities Ruby on Rails XML Processor YA...

net-security.org 22 Jan '13, 6pm

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and ...

What type of weather is this...

forums.condosingapore.com 14 Feb '13, 11am

Quote: Originally Posted by phantom_opera yeah .... action liao Warren Buffett’s Berkshire Hathaway Inc. and Jorge Paulo L...