Jun
It was announced the other day that some arbitrary code execution vulnerabilities were discovered in almost all production versions of Ruby out in the wild. I’m not sure how vulnerable your typical Ruby on Rails application servers would be, but I’m taking no chances. I run this blog, and all my other production sites on Ubuntu. Updating to the latest patched version of ruby was easy:
$ sudo apt-get install build-essential libssl-dev libreadline5-dev zlib1g-dev
$ wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.gz
$ tar zxvf ruby-1.8.7-p22.tar.gz
$ cd ruby-1.8.7-p22
$ ./configure --prefix=/usr/local --with-openssl-dir=/usr --with-readline-dir=/usr --with-zlib-dir=/usr
$ make
$ sudo make installAnd you’re done. The only sorta tricky part there is the ./configure command, which requires those options to tell the compiler to enable Readline and OpenSSL support which are most often needed in a Ruby on Rails environment. To check and make sure it’s working, type these commands and verify that the output looks like this:
$ which ruby
/usr/local/bin/ruby
$ ruby --version
ruby 1.8.7 (2008-06-20 patchlevel 22) [i686-linux]
$ ruby -ropenssl -rzlib -rreadline -e "puts :success"
successNow, run your tests, restart mongrels, and you’re safe. Phew.
Nice write up, I have about 5 Ubuntu servers to update now. What if we use apt-get to manage our Ruby?
THANK YOU. Was about to pull my hair out trying to figure out why zlib was not working with my custom compile on Ubuntu…
Note that Ruby 1.8.7 breaks old Rails versions eg v1.2.3
Error msg: lib/active_support/core_ext/string/access.rb:43:in `first': undefined method `[]' for #<Enumerable::Enumerator:0xb72905d8> (NoMethodError)Fix: See link
The patch needs to be added to boot.rb, not environment.rb
Hmmm, one more try:
The fix is at: http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg528878.html