Hya folks
I’m introducing Ruby to my workplace and tried installing it on our
server. We’re using RHEL and the most recent Ruby binary package we
have in the repos is 1.8.1 (yikes indeed).
So the question is: what’s the source tarball we should use to build a
Ruby 1.8.4[1] that is both stable and has all the patches applied?
I found the tarball of the official 1.8.4 release[2], in the “stable”
directory of the ftp.ruby-lang.org. Unfortunately, its dated
24/12/2005 and seems to be the original release, with none of the
patches applied. My admin googled some critical security patches like
[3], realized they were not included in the above tarball, and freaked
out.
Thanks!
-Chris
P.S. I already posted this question to the general Ruby ML and got no
replies.
[1] We’re installing 1.8.4 as it’s the recommended Ruby version
for Rails installations on the official download page:
http://www.rubyonrails.com/down
[2] ftp://ftp.ruby-lang.org/pub/ruby/stable/ruby-1.8.4.tar.gz
[3]
http://www.mail-archive.com/[email protected]/msg00403.html
[4] ftp://ftp.ruby-lang.org/pub/ruby/snapshots/
[5] Ruby 1.8.4 released!
Chris P. wrote:
Hya folks
I’m introducing Ruby to my workplace and tried installing it on our
server. We’re using RHEL and the most recent Ruby binary package we
have in the repos is 1.8.1 (yikes indeed).
Here’s ruby 1.8.4 package for RHEL 4 that I’m using in production:
ftp://eos.openintegra.com/rhel/4/backports/i386/ruby-1.8.4-1.el4.oi.i386.rpm
–
Sava C.
Chris P. wrote:
[1] We’re installing 1.8.4 as it’s the recommended Ruby version
for Rails installations on the official download page:
http://www.rubyonrails.com/down
[2] ftp://ftp.ruby-lang.org/pub/ruby/stable/ruby-1.8.4.tar.gz
[3]
http://www.mail-archive.com/[email protected]/msg00403.html
Well, this is an interesting kettle of fish. This page:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029
contains the worrying quote “currently the upstream does not plan to
release patches”, so it does look like there isn’t and won’t be any
official Ruby release that contains these kinds of patches.
I wonder why not. Is the Ruby team not interested in maintaining old
versions in general, or is it just that they don’t consider these to be
major security problems? Could be a question worth pursuing on the Ruby
Core list.
Anyway, it looks like your choices are: (a) apply the patches yourself;
(b) find a Linux distribution that’s made these changes and get the
source from them; or (c) install the updated Red Hat RPM manually.
Chris
Thanks Sava and Chris.
Indeed, installing a patched Ruby 1.8.4 turned out to be surprisingly
difficult, definitely a lot more than it should be.
Considering how the official Rails’ download page[1] links directly to
the initial, unpatched releases, and the staggering amount of
difficulty involved in obtaining and (if lucky) installing patched
Ruby, one would imagine a horde of exploitable Rails servers, just
waiting to be h4x0r3d…
I suppose the Core Ruby team may profess to be uninterested in the old
1.8.4 branch, which is “only” interesting for Rails, while the current
official, stable branch is 1.8.5. However, the 1.8.5 is afflicted with
the same issue: prominent links to the initial unpatched point release,
and obscure, hard to find path for installing the patches and/or fully
patched version. Making it all to easy for people to run unpatched,
exploitable Ruby instances.
I guess I should raise it in the Rails Core ML unless someone better
qualified than me will do so.
-Chris
[1] http://www.rubyonrails.com/down
On Tue, 2006-10-17 at 05:49 -0700, Chris P. wrote:
I suppose the Core Ruby team may profess to be uninterested in the old
1.8.4 branch, which is “only” interesting for Rails, while the current
official, stable branch is 1.8.5. However, the 1.8.5 is afflicted with
the same issue: prominent links to the initial unpatched point release,
and obscure, hard to find path for installing the patches and/or fully
patched version. Making it all to easy for people to run unpatched,
exploitable Ruby instances.
I guess I should raise it in the Rails Core ML unless someone better
qualified than me will do so.
just an fyi - you can always find ruby rpm’s at http://dev.centos.org
(testing)
CentOS is re-spin of RHEL and though the RHEL base is 1.8.1 and not
likely to change, the developers do offer more current rpm’s for things
such as postgresql, php5, ruby, etc.
Craig
Chris P. wrote:
I suppose the Core Ruby team may profess to be uninterested in the old
1.8.4 branch, which is “only” interesting for Rails, while the current
official, stable branch is 1.8.5. However, the 1.8.5 is afflicted with
the same issue: prominent links to the initial unpatched point release,
and obscure, hard to find path for installing the patches and/or fully
patched version. Making it all to easy for people to run unpatched,
exploitable Ruby instances.
Yeah. Having had a brief look around, I can’t find any evidence of
official security releases from the Ruby maintainers, only downstream
patches in individual distros. Unless I’m missing something, this does
seem glaringly wrong.
I guess I should raise it in the Rails Core ML unless someone better
qualified than me will do so.
Go for it. Can’t do any harm, and it’d be good to get some
clarification on the situation either way.
Chris