Forum: Mongrel patched ruby seems to break mongrel?

1a03a318a95e01c6549cfe0319d039c4?d=identicon&s=25 David Shettler (Guest)
on 2008-06-23 16:01
(Received via mailing list)
Hey all,  patched ruby on my development and production environments
to 1.8.6-p230 to address these new ruby vulnerabilities:

  http://www.ruby-lang.org/en/news/2008/06/20/arbitr...

mongrel began segfaulting after restarting.

Then tried ruby 1.8.7-p22 and upgrading to rails 2.1.0 (from rails
2.0.2), same issue.  Had to revert back to the vulnerable GA 1.8.6.

Running centos 4, mongrel 1.1.5 (tried 1.1.3, 1.1.4 as well, all same
results).

Any further info I can provide, I'd be glad to.

Dave
OSVDB.org
E7cff3cfd41c495e1012227d7dc24202?d=identicon&s=25 Luis Lavena (luislavena)
on 2008-06-23 16:16
(Received via mailing list)
On Mon, Jun 23, 2008 at 3:59 PM, David Shettler
<dave@opensecurityfoundation.org> wrote:
> Hey all,  patched ruby on my development and production environments
> to 1.8.6-p230 to address these new ruby vulnerabilities:
>
>  http://www.ruby-lang.org/en/news/2008/06/20/arbitr...
>

I still think those are not vulnerabilities but bugs, anyway...

> mongrel began segfaulting after restarting.
>
> Then tried ruby 1.8.7-p22 and upgrading to rails 2.1.0 (from rails
> 2.0.2), same issue.  Had to revert back to the vulnerable GA 1.8.6.
>

1.8.7 is not a good thing to try, for your own health, stay away from
it, even more for production.

1.8.6-p111 seems stable to me, even with those "vulnerabilities" around
it.

> Running centos 4, mongrel 1.1.5 (tried 1.1.3, 1.1.4 as well, all same results).
>
> Any further info I can provide, I'd be glad to.
>

I suggest you read this post from Ruby On Rails weblog:

http://weblog.rubyonrails.com/2008/6/21/multiple-r...

More important: read the comments, are more valuable than the blog post
itself.

Regards,
--
Luis Lavena
AREA 17
-
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams
1a03a318a95e01c6549cfe0319d039c4?d=identicon&s=25 David Shettler (Guest)
on 2008-06-23 16:29
(Received via mailing list)
ah, excellent, thanks for pointing me there.  Not sure why I didn't
check there first!

And in terms of them being bugs vs vulnerabilities, well, I'm biased :)

They have CVE's, which will get them on our site (osvdb) -- which is
'vulnerable' to these problems!  Ironic, and hence my concern.
F8634aca904bc63cb047cb1bd93bdc74?d=identicon&s=25 Evan Weaver (eweaver)
on 2008-06-23 18:47
(Received via mailing list)
I'm using 1.8.6-p230 locally and will fix any problems I happen to
come across. What architecture are you using?

Also, 1.8.7 is a little shaky right now; I recommend avoiding it.

Evan

On Mon, Jun 23, 2008 at 10:28 AM, David Shettler
15cf2f1fa9ef1e1e63a7baa03477b8b5?d=identicon&s=25 John Private (smokinggun)
on 2008-06-23 21:03
(Received via mailing list)
> Also, 1.8.7 is a little shaky right now; I recommend avoiding it.

This is off topic, but can your or Luis provide some information, or
links, on what makes 1.8.7 "shaky" or unsuitable for production?

thank you very much - jw
E7cff3cfd41c495e1012227d7dc24202?d=identicon&s=25 Luis Lavena (luislavena)
on 2008-06-23 21:39
(Received via mailing list)
On Mon, Jun 23, 2008 at 9:02 PM, John Weir <john@smokinggun.com> wrote:
>> Also, 1.8.7 is a little shaky right now; I recommend avoiding it.
>
> This is off topic, but can your or Luis provide some information, or links,
> on what makes 1.8.7 "shaky" or unsuitable for production?
>

1.8.7 backported lot of stuff from 1.9, which broke RubySpec:

http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/...

At the end something of this was solved, but there are still some
guards around some 1.8.7 specific stuff.

1.8.7 also introduced bugs for some GUI tools, like wxRuby:

http://rubyforge.org/pipermail/wxruby-development/...

Regarding the patchelevel stuff, the own tests for ruby don't pass, as
I commented here:

http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/...

So I cannot provide an updated version of One-Click Installer for
1.8.7 or 1.8.6-p230 if:

1.8.7 break packages that OCI bundles (wxRuby) and p230 cannot
complete it's own tests...

> thank you very much - jw
>

No problem, take care!.
--
Luis Lavena
AREA 17
-
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams
This topic is locked and can not be replied to.