New Bug to be Discovered in Ruby

Deserialization issue in Ruby was discovered by Elttam from Australia
12 November 2018   932

The problem of serialization and deserialization of objects has reached Ruby. Bug found by the experts from the company Elttam, Australia.

Serialization in programming is the translation of a data structure into any other format more convenient for storage. The inverse operation is the operation of deserialization - the restoration of the initial state of the data structure from the bit sequence. The possibility of this is built into Ruby and, as it turned out, it allows attackers to use the native language mechanisms to carry out their attacks.

Elttam researchers have added a proof-of-concept exploit to the report that implements it. The problem is that these mechanisms are built into the language itself, namely in versions from 2.0 to 2.5. It is also assumed that it is possible to refine the attack methods for older versions. In addition, alternative implementations of Ruby called JRuby and Rubinius can potentially have similar problems.

Vulnerabilities of serialization and deserialization of objects exist in other languages. In 2015, they were found in the FoxGlove Security for Java library. In 2017, a similar problem was discovered in .NET libraries, and in 2018, in PHP. In the latter case, it affects the WordPress engine. Often problems are solved by the release of patches, although bugs are often difficult to detect. At the same time, it should be understood that the serialization and deserialization of data in itself weakens their protection.

GitHub to Launch Sponrship System

GitHub does not charge fees, and the first year will cover the costs of processing payments
24 May 2019   265

System called GitHub Sponsors is launched to provide financial support for open source projects. The new service provides a new form of participation in the development of projects - if the user does not have the opportunity to help in the development, he or she can join the projects of interest as a sponsor and help through funding specific developers, maintainers, designers, documentation authors, testers and other participants involved in the project.

Using the sponsorship system, any GitHub user can monthly transfer fixed amounts to open source developers who have registered with the service as members willing to receive financial support (the number of participants is limited at the time the service is tested). Sponsored members can define support levels and associated sponsor privileges, such as exceptional bug fixes. The possibility of organizing financing not only individual participants, but also the groups of developers involved in the work on the project is being considered.

Unlike other co-financing sites, GitHub does not charge fees, and the first year will cover the costs of processing payments. In the future, the introduction of fees for processing payments is not excluded. To support the service, a special fund called GitHub Sponsors Matching Fund has been created, which will deal with the distribution of financial flows.