Chris Pearl
2006-Oct-17 09:07 UTC
How do I install Ruby 1.8.4 on my server from source, with all patches applied?
Hya folks I''m introducing Ruby to my workplace and tried installing it on our server. We''re using RHEL and the most recent Ruby binary package we have in the repos is 1.8.1 (yikes indeed). So the question is: what''s the source tarball we should use to build a Ruby 1.8.4[1] that is both stable and has all the patches applied? I found the tarball of the official 1.8.4 release[2], in the "stable" directory of the ftp.ruby-lang.org. Unfortunately, its dated 24/12/2005 and seems to be the original release, with none of the patches applied. My admin googled some critical security patches like [3], realized they were not included in the above tarball, and freaked out. Thanks! -Chris P.S. I already posted this question to the general Ruby ML and got no replies. --- [1] We''re installing 1.8.4 as it''s the recommended Ruby version for Rails installations on the official download page: http://www.rubyonrails.com/down [2] ftp://ftp.ruby-lang.org/pub/ruby/stable/ruby-1.8.4.tar.gz [3] http://www.mail-archive.com/fedora-package-announce-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org/msg00403.html [4] ftp://ftp.ruby-lang.org/pub/ruby/snapshots/ [5] http://www.ruby-lang.org/en/news/2005/12/24/ruby-184-released/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Sava Chankov
2006-Oct-17 10:44 UTC
Re: How do I install Ruby 1.8.4 on my server from source, with all patches applied?
Chris Pearl wrote:> Hya folks > > I''m introducing Ruby to my workplace and tried installing it on our > server. We''re using RHEL and the most recent Ruby binary package we > have in the repos is 1.8.1 (yikes indeed). >Here''s ruby 1.8.4 package for RHEL 4 that I''m using in production: ftp://eos.openintegra.com/rhel/4/backports/i386/ruby-1.8.4-1.el4.oi.i386.rpm -- Sava Chankov --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Chris Mear
2006-Oct-17 11:00 UTC
Re: How do I install Ruby 1.8.4 on my server from source, with all patches applied?
Chris Pearl wrote:> So the question is: what''s the source tarball we should use to build a > Ruby 1.8.4[1] that is both stable and has all the patches applied? > > I found the tarball of the official 1.8.4 release[2], in the "stable" > directory of the ftp.ruby-lang.org. Unfortunately, its dated > 24/12/2005 and seems to be the original release, with none of the > patches applied. My admin googled some critical security patches like > [3], realized they were not included in the above tarball, and freaked > out. > > [1] We''re installing 1.8.4 as it''s the recommended Ruby version > for Rails installations on the official download page: > http://www.rubyonrails.com/down > > [2] ftp://ftp.ruby-lang.org/pub/ruby/stable/ruby-1.8.4.tar.gz > > [3] > http://www.mail-archive.com/fedora-package-announce-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org/msg00403.htmlWell, this is an interesting kettle of fish. This page: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029 contains the worrying quote "currently the upstream does not plan to release patches", so it does look like there isn''t and won''t be any official Ruby release that contains these kinds of patches. I wonder why not. Is the Ruby team not interested in maintaining old versions in general, or is it just that they don''t consider these to be major security problems? Could be a question worth pursuing on the Ruby Core list. Anyway, it looks like your choices are: (a) apply the patches yourself; (b) find a Linux distribution that''s made these changes and get the source from them; or (c) install the updated Red Hat RPM manually. Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Chris Pearl
2006-Oct-17 12:49 UTC
Re: How do I install Ruby 1.8.4 on my server from source, with all patches applied?
Thanks Sava and Chris. Indeed, installing a patched Ruby 1.8.4 turned out to be surprisingly difficult, definitely a lot more than it should be. Considering how the official Rails'' download page[1] links directly to the initial, unpatched releases, and the staggering amount of difficulty involved in obtaining and (if lucky) installing patched Ruby, one would imagine a horde of exploitable Rails servers, just waiting to be h4x0r3d... I suppose the Core Ruby team may profess to be uninterested in the old 1.8.4 branch, which is "only" interesting for Rails, while the current official, stable branch is 1.8.5. However, the 1.8.5 is afflicted with the same issue: prominent links to the initial unpatched point release, and obscure, hard to find path for installing the patches and/or fully patched version. Making it all to easy for people to run unpatched, exploitable Ruby instances. I guess I should raise it in the Rails Core ML unless someone better qualified than me will do so. -Chris --- [1] http://www.rubyonrails.com/down --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Craig White
2006-Oct-17 19:28 UTC
Re: How do I install Ruby 1.8.4 on my server from source, with all patches applied?
On Tue, 2006-10-17 at 05:49 -0700, Chris Pearl wrote:> Thanks Sava and Chris. > > Indeed, installing a patched Ruby 1.8.4 turned out to be surprisingly > difficult, definitely a lot more than it should be. > > Considering how the official Rails'' download page[1] links directly to > the initial, unpatched releases, and the staggering amount of > difficulty involved in obtaining and (if lucky) installing patched > Ruby, one would imagine a horde of exploitable Rails servers, just > waiting to be h4x0r3d... > > I suppose the Core Ruby team may profess to be uninterested in the old > 1.8.4 branch, which is "only" interesting for Rails, while the current > official, stable branch is 1.8.5. However, the 1.8.5 is afflicted with > the same issue: prominent links to the initial unpatched point release, > and obscure, hard to find path for installing the patches and/or fully > patched version. Making it all to easy for people to run unpatched, > exploitable Ruby instances. > > I guess I should raise it in the Rails Core ML unless someone better > qualified than me will do so.---- just an fyi - you can always find ruby rpm''s at http://dev.centos.org (testing) CentOS is re-spin of RHEL and though the RHEL base is 1.8.1 and not likely to change, the developers do offer more current rpm''s for things such as postgresql, php5, ruby, etc. Craig --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Chris Mear
2006-Oct-17 19:48 UTC
Re: How do I install Ruby 1.8.4 on my server from source, with all patches applied?
Chris Pearl wrote:> I suppose the Core Ruby team may profess to be uninterested in the old > 1.8.4 branch, which is "only" interesting for Rails, while the current > official, stable branch is 1.8.5. However, the 1.8.5 is afflicted with > the same issue: prominent links to the initial unpatched point release, > and obscure, hard to find path for installing the patches and/or fully > patched version. Making it all to easy for people to run unpatched, > exploitable Ruby instances.Yeah. Having had a brief look around, I can''t find any evidence of official security releases from the Ruby maintainers, only downstream patches in individual distros. Unless I''m missing something, this does seem glaringly wrong.> I guess I should raise it in the Rails Core ML unless someone better > qualified than me will do so.Go for it. Can''t do any harm, and it''d be good to get some clarification on the situation either way. Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---