I heard from a couple of sources about Ruby security concerns, quoting
from
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html
The official Ruby blog is reporting “multiple vulnerabilities†in the
official Ruby interpreter (MRI). A significant number of versions are
affected:
* All versions prior to 1.8.5
* All 1.8.5 versions prior to patch 231
* All 1.8.6 versions prior to patch 230
* All 1.8.7 versions prior to patch 22
* All 1.9.0 versions prior to 1.9.0-2
I believe my Ruby is version 1.8.5.32-2, and 32-2 is the build #?
However, I have no idea what that means in terms of patch # as listed
above for say “All 1.8.5 versions prior to patch 231”. Does anyone know
how to correlate the two?
You can run this from the command line to get the patch level: ruby -e
‘puts(RUBY_PATCHLEVEL)’
Best.
Mike
Michael B. wrote:
You can run this from the command line to get the patch level: ruby -e
‘puts(RUBY_PATCHLEVEL)’
Best.
Mike
that’s true,
but my understanding was that although my ubuntu ruby 1.8.6 says it’s at
patch level 111, it is in fact patched against the vulnerability
so, I believe I’m safe even though…
matthew@ruBuntu:~$ ruby -e ‘puts(RUBY_PATCHLEVEL)’
111
matthew@ruBuntu:~$ ruby --version
ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux]
Matthew R. Jacobs wrote:
Michael B. wrote:
You can run this from the command line to get the patch level: ruby -e
‘puts(RUBY_PATCHLEVEL)’
Best.
Mike
Thanks Mike, actually I did try that already but got an error
C:\Documents and Settings\Bob>ruby -e ‘puts(RUBY_PATCHLEVEL)’
-e:1: uninitialized constant RUBY_PATCHLEVEL (NameError)
Any other ideas? Much appreciated.
that’s true,
but my understanding was that although my ubuntu ruby 1.8.6 says it’s at
patch level 111, it is in fact patched against the vulnerability
Bug #241657 “Multiple vulnerabilities in Ruby may lead to a deni...” : Hardy (8.04) : Bugs : ruby1.8 package : Ubuntu
so, I believe I’m safe even though…
matthew@ruBuntu:~$ ruby -e ‘puts(RUBY_PATCHLEVEL)’
111
matthew@ruBuntu:~$ ruby --version
ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux]
Matthew,
On Windows, the ruby --version command doesn’t even show patch level
C:\Documents and Settings\Bob>ruby --version
ruby 1.8.5 (2006-08-25) [i386-mswin32]
Michael B. wrote:
what about from irb? (I don’t have windows so I can’t test this for you)
puts RUBY_PATCHLEVEL
111
=> nil
Sigh same result unfortunately uninitialized constant. Is the Ruby on
Windows that different that Linux?
On Jun 29, 2008, at 11:53 AM, Cali W. wrote:
Sigh same result unfortunately uninitialized constant. Is the Ruby
on
Windows that different that Linux?
I’m guessing that Ruby 1.8.5 on windows didn’t set this environment
variable?
This might be a great question for the new RoR on Windows google group.
Sorry I couldn’t be more helpful.
Best.
Mike
Michael B. wrote:
On Jun 29, 2008, at 11:53 AM, Cali W. wrote:
Sigh same result unfortunately uninitialized constant. Is the Ruby
on
Windows that different that Linux?
I’m guessing that Ruby 1.8.5 on windows didn’t set this environment
variable?
This might be a great question for the new RoR on Windows google group.
Sorry I couldn’t be more helpful.
Best.
Mike
Mike, thanks for your tips though, at least I know that I am not missing
something obvious. Actually, I started the new RoR Windows group =)
hopefully I can get some traction there.
what about from irb? (I don’t have windows so I can’t test this for you)
puts RUBY_PATCHLEVEL
111
=> nil