I heard from a couple of sources about Ruby security concerns, quoting
from
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html
The official Ruby blog is reporting “multiple vulnerabilities” in the
official Ruby interpreter (MRI). A significant number of versions are
affected:
* All versions prior to 1.8.5
* All 1.8.5 versions prior to patch 231
* All 1.8.6 versions prior to patch 230
* All 1.8.7 versions prior to patch 22
* All 1.9.0 versions prior to 1.9.0-2
I believe my Ruby is version 1.8.5.32-2, and 32-2 is the build #?
However, I have no idea what that means in terms of patch # as listed
above for say "All 1.8.5 versions prior to patch 231". Does anyone
know
how to correlate the two?
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
You can run this from the command line to get the patch level: ruby -e ''puts(RUBY_PATCHLEVEL)'' Best. Mike On Jun 28, 2008, at 5:34 PM, Cali Wildman wrote:> > I heard from a couple of sources about Ruby security concerns, quoting > from > http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html > > The official Ruby blog is reporting “multiple vulnerabilities” in the > official Ruby interpreter (MRI). A significant number of versions are > affected: > > * All versions prior to 1.8.5 > * All 1.8.5 versions prior to patch 231 > * All 1.8.6 versions prior to patch 230 > * All 1.8.7 versions prior to patch 22 > * All 1.9.0 versions prior to 1.9.0-2 > > I believe my Ruby is version 1.8.5.32-2, and 32-2 is the build #? > However, I have no idea what that means in terms of patch # as listed > above for say "All 1.8.5 versions prior to patch 231". Does anyone > know > how to correlate the two? > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Matthew Rudy Jacobs
2008-Jun-29 15:21 UTC
Re: Correlate Ruby version/build with patch number
Michael Breen wrote:> You can run this from the command line to get the patch level: ruby -e > ''puts(RUBY_PATCHLEVEL)'' > > Best. > Mikethat''s true, but my understanding was that although my ubuntu ruby 1.8.6 says it''s at patch level 111, it is in fact patched against the vulnerability https://bugs.launchpad.net/ubuntu/hardy/+source/ruby1.8/+bug/241657 so, I believe I''m safe even though... matthew@ruBuntu:~$ ruby -e ''puts(RUBY_PATCHLEVEL)'' 111 matthew@ruBuntu:~$ ruby --version ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux] -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Matthew Rudy Jacobs wrote:> Michael Breen wrote: >> You can run this from the command line to get the patch level: ruby -e >> ''puts(RUBY_PATCHLEVEL)'' >> >> Best. >> Mike >Thanks Mike, actually I did try that already but got an error C:\Documents and Settings\Bob>ruby -e ''puts(RUBY_PATCHLEVEL)'' -e:1: uninitialized constant RUBY_PATCHLEVEL (NameError) Any other ideas? Much appreciated.> that''s true, > but my understanding was that although my ubuntu ruby 1.8.6 says it''s at > patch level 111, it is in fact patched against the vulnerability > > https://bugs.launchpad.net/ubuntu/hardy/+source/ruby1.8/+bug/241657 > > so, I believe I''m safe even though... > > matthew@ruBuntu:~$ ruby -e ''puts(RUBY_PATCHLEVEL)'' > 111 > matthew@ruBuntu:~$ ruby --version > ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux]Matthew, On Windows, the ruby --version command doesn''t even show patch level C:\Documents and Settings\Bob>ruby --version ruby 1.8.5 (2006-08-25) [i386-mswin32] -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
what about from irb? (I don''t have windows so I can''t test this for you) >> puts RUBY_PATCHLEVEL 111 => nil >> On Jun 29, 2008, at 11:28 AM, Cali Wildman wrote:> > Matthew Rudy Jacobs wrote: >> Michael Breen wrote: >>> You can run this from the command line to get the patch level: >>> ruby -e >>> ''puts(RUBY_PATCHLEVEL)'' >>> >>> Best. >>> Mike >> > Thanks Mike, actually I did try that already but got an error > > C:\Documents and Settings\Bob>ruby -e ''puts(RUBY_PATCHLEVEL)'' > -e:1: uninitialized constant RUBY_PATCHLEVEL (NameError) > > Any other ideas? Much appreciated. > >> that''s true, >> but my understanding was that although my ubuntu ruby 1.8.6 says >> it''s at >> patch level 111, it is in fact patched against the vulnerability >> >> https://bugs.launchpad.net/ubuntu/hardy/+source/ruby1.8/+bug/241657 >> >> so, I believe I''m safe even though... >> >> matthew@ruBuntu:~$ ruby -e ''puts(RUBY_PATCHLEVEL)'' >> 111 >> matthew@ruBuntu:~$ ruby --version >> ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux] > > Matthew, > > On Windows, the ruby --version command doesn''t even show patch level > C:\Documents and Settings\Bob>ruby --version > ruby 1.8.5 (2006-08-25) [i386-mswin32] > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Michael Breen wrote:> what about from irb? (I don''t have windows so I can''t test this for you) > > >> puts RUBY_PATCHLEVEL > 111 > => nil > >>*Sigh* same result unfortunately uninitialized constant. Is the Ruby on Windows that different that Linux? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Jun 29, 2008, at 11:53 AM, Cali Wildman wrote:> > Michael Breen wrote: >> what about from irb? (I don''t have windows so I can''t test this for >> you) >> >>>> puts RUBY_PATCHLEVEL >> 111 >> => nil >>>> > > *Sigh* same result unfortunately uninitialized constant. Is the Ruby > on > Windows that different that Linux?I''m guessing that Ruby 1.8.5 on windows didn''t set this environment variable? This might be a great question for the new RoR on Windows google group. Sorry I couldn''t be more helpful. Best. Mike> > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Michael Breen wrote:> On Jun 29, 2008, at 11:53 AM, Cali Wildman wrote: > >> *Sigh* same result unfortunately uninitialized constant. Is the Ruby >> on >> Windows that different that Linux? > > I''m guessing that Ruby 1.8.5 on windows didn''t set this environment > variable? > > This might be a great question for the new RoR on Windows google group. > > Sorry I couldn''t be more helpful. > > Best. > MikeMike, thanks for your tips though, at least I know that I am not missing something obvious. Actually, I started the new RoR Windows group =) hopefully I can get some traction there. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---