Ruby patch level

Ruby
1

I have Ruby 1.8.5 on Windows XP and unable to identify the patch level
for that release. I have tried the following commands without success

  • ruby -e ‘puts(RUBY_PATCHLEVEL)’ gives uninitialized constant
  • ruby -v does not show patch level
  • from irb: puts RUBY_PATCHLEVEL gives uninitialized constant

The reason I am doing this is because of this…
The official Ruby blog is reporting “multiple vulnerabilities” in the
official Ruby interpreter (MRI). A significant number of versions are
affected:

* All versions prior to 1.8.5
* All 1.8.5 versions prior to patch 231
* All 1.8.6 versions prior to patch 230
* All 1.8.7 versions prior to patch 22
* All 1.9.0 versions prior to 1.9.0-2

I am thinking that my version of Ruby predates PATCHLEVEL var? If so, is
there a way to perhaps correlate the date of the Ruby package with a
patch level? Thanks in advance for your help.

2

For my WinXP installation (1.8.6 one-click installer):

C:>ruby --version
ruby 1.8.6 (2007-09-24 patchlevel 111) [i386-mswin32]

YMMV

Dave

3

On Mon, Jun 30, 2008 at 19:39, Cali W.
[email protected] wrote:

  • All versions prior to 1.8.5
  • All 1.8.5 versions prior to patch 231
  • All 1.8.6 versions prior to patch 230
  • All 1.8.7 versions prior to patch 22
  • All 1.9.0 versions prior to 1.9.0-2

I am thinking that my version of Ruby predates PATCHLEVEL var? If so, is
there a way to perhaps correlate the date of the Ruby package with a
patch level? Thanks in advance for your help.

If you installed your ruby from one-click installer, it’s vulnerable
(There’s no OCI for p231 yet, and most probably never will be)
If you installed your ruby more than two weeks ago, it’s vulnerable
(I.e. your ruby must be newer than the annoucement).
Note that some of the versions you listed are broken, so please read
through recent posts to determine which version do you really want.

J.

4

Jano S. wrote:

On Mon, Jun 30, 2008 at 19:39, Cali W.
[email protected] wrote:

  • All versions prior to 1.8.5
  • All 1.8.5 versions prior to patch 231
  • All 1.8.6 versions prior to patch 230
  • All 1.8.7 versions prior to patch 22
  • All 1.9.0 versions prior to 1.9.0-2

I am thinking that my version of Ruby predates PATCHLEVEL var? If so, is
there a way to perhaps correlate the date of the Ruby package with a
patch level? Thanks in advance for your help.

If you installed your ruby from one-click installer, it’s vulnerable
(There’s no OCI for p231 yet, and most probably never will be)
If you installed your ruby more than two weeks ago, it’s vulnerable
(I.e. your ruby must be newer than the annoucement).
Note that some of the versions you listed are broken, so please read
through recent posts to determine which version do you really want.

J.

Thanks Jano, that’s helpful, my Ruby installation was from Jan 2007 so
it’s vulnerable. I will read through the recent posts to determine the
appropriate version.

5

Dave B. wrote:

For my WinXP installation (1.8.6 one-click installer):

C:>ruby --version
ruby 1.8.6 (2007-09-24 patchlevel 111) [i386-mswin32]

YMMV

Dave

ruby --version is the same as ruby -v, it doesn’t give me a patch level.