A Denial of Service (DoS) vulnerability has been found in all versions of Ruby 1.8.x:

Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.



ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.



The Riding Rails blog also points out the vulnerability:

The upcoming Rails 2.3.3 release will include some minor mitigating changes to reduce some potential attack vectors for this vulnerability. However these mitigations will not close every potential method of attack and users should still upgrade their ruby installation as soon as possible.

The blog also points to NZKoz' bigdecimal-segfault-fix, a temporary fix for users who can't immediately upgrade their Ruby installation - although upgrading is the only proper solution since this fix can break applications.



All Ruby 1.8.x versions are affected - the first fixed versions of Ruby are Ruby 1.8.6-p369 (1.8.6 FTP Download Link) and Ruby 1.8.7-p173 (1.8.7 FTP Download Link).



JRuby also seems to be affected. Bug JRUBY-3744 tracks the issue and says:

JRuby seems to be affected as well. It doesn't crash, but appears to be stuck in an infinite loop.