Hey all, patched ruby on my development and production environments
to 1.8.6-p230 to address these new ruby vulnerabilities:
Arbitrary code execution vulnerabilities
mongrel began segfaulting after restarting.
Then tried ruby 1.8.7-p22 and upgrading to rails 2.1.0 (from rails
2.0.2), same issue. Had to revert back to the vulnerable GA 1.8.6.
Running centos 4, mongrel 1.1.5 (tried 1.1.3, 1.1.4 as well, all same
results).
Any further info I can provide, I’d be glad to.
Dave
OSVDB.org
On Mon, Jun 23, 2008 at 3:59 PM, David Shettler
[email protected] wrote:
Hey all, patched ruby on my development and production environments
to 1.8.6-p230 to address these new ruby vulnerabilities:
I still think those are not vulnerabilities but bugs, anyway…
mongrel began segfaulting after restarting.
Then tried ruby 1.8.7-p22 and upgrading to rails 2.1.0 (from rails
2.0.2), same issue. Had to revert back to the vulnerable GA 1.8.6.
1.8.7 is not a good thing to try, for your own health, stay away from
it, even more for production.
1.8.6-p111 seems stable to me, even with those “vulnerabilities” around
it.
Running centos 4, mongrel 1.1.5 (tried 1.1.3, 1.1.4 as well, all same results).
Any further info I can provide, I’d be glad to.
I suggest you read this post from Ruby On Rails weblog:
http://weblog.rubyonrails.com/2008/6/21/multiple-ruby-security-vulnerabilities
More important: read the comments, are more valuable than the blog post
itself.
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams
ah, excellent, thanks for pointing me there. Not sure why I didn’t
check there first!
And in terms of them being bugs vs vulnerabilities, well, I’m biased 
They have CVE’s, which will get them on our site (osvdb) – which is
‘vulnerable’ to these problems! Ironic, and hence my concern.
I’m using 1.8.6-p230 locally and will fix any problems I happen to
come across. What architecture are you using?
Also, 1.8.7 is a little shaky right now; I recommend avoiding it.
Evan
On Mon, Jun 23, 2008 at 10:28 AM, David Shettler
Also, 1.8.7 is a little shaky right now; I recommend avoiding it.
This is off topic, but can your or Luis provide some information, or
links, on what makes 1.8.7 “shaky” or unsuitable for production?
thank you very much - jw
On Mon, Jun 23, 2008 at 9:02 PM, John W. [email protected] wrote:
Also, 1.8.7 is a little shaky right now; I recommend avoiding it.
This is off topic, but can your or Luis provide some information, or links,
on what makes 1.8.7 “shaky” or unsuitable for production?
1.8.7 backported lot of stuff from 1.9, which broke RubySpec:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/16554
At the end something of this was solved, but there are still some
guards around some 1.8.7 specific stuff.
1.8.7 also introduced bugs for some GUI tools, like wxRuby:
http://rubyforge.org/pipermail/wxruby-development/2008-April/001287.html
Regarding the patchelevel stuff, the own tests for ruby don’t pass, as
I commented here:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/17364
So I cannot provide an updated version of One-Click Installer for
1.8.7 or 1.8.6-p230 if:
1.8.7 break packages that OCI bundles (wxRuby) and p230 cannot
complete it’s own tests…
thank you very much - jw
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs