?

Log in

Wed, Jun. 25th, 2008, 03:54 am
ibneko: Arbitrary code execution vulnerabilities

Official news post here:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

General rundown of exactly _what_ is being affected:
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

Discussion forums of patches and such:
http://www.ruby-forum.com/topic/157034

Now, my question to you guys, is... has anyone patched their copy of ruby? Anyone have any pointers on patching/upgrading ruby on a production site? My partner, the one who set everything up, is off on his honeymoon and can't be reached. The wannabe security professional side of me understands what the vulnerabilities mean and would very much like to patch and upgrade ruby. But from what I've read on the discussion forum, the releases are said to break stuff, which would be Very Bad™ for a live site.

Looks like we're running:
"Ubuntu 7.10" codename gutsy
ruby 1.8.6 (2007-06-07 patchlevel 36) [x86_64-linux]

crossposted to the ruby_lang community, although that looked relatively dead . . .

(This news is now about 5 days old...)

Thu, Jun. 26th, 2008 04:34 pm (UTC)
joeylemur

In a perfect world, you should be able to go from an older 1.8.6 patchlevel to a newer 1.8.6 patchlevel without breaking anything. The only things that should "break" are things that relied on bugs that have been fixed in the newer patchlevel.

In the absence of a perfect world, however, you should have a test environment that you can plop a new 1.8.6 build onto, and then run full regression testing against, before deploying the new 1.8.6 build to production.

This, of course, assumes that you're using a hand-built 1.8.6 binary... if you're relying on Ubuntu packages, then I'm at a loss. I personally don't trust packaging systems, but that's probably because I work in an environment where we need to fix security holes when they're discovered, and not when someone decides to eventually rebuild the package and get it publically released...