Correlate Ruby version/build with patch number

I heard from a couple of sources about Ruby security concerns, quoting from http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

The official Ruby blog is reporting “multiple vulnerabilities” in the official Ruby interpreter (MRI). A significant number of versions are affected:

    * All versions prior to 1.8.5     * All 1.8.5 versions prior to patch 231     * All 1.8.6 versions prior to patch 230     * All 1.8.7 versions prior to patch 22     * All 1.9.0 versions prior to 1.9.0-2

I believe my Ruby is version 1.8.5.32-2, and 32-2 is the build #? However, I have no idea what that means in terms of patch # as listed above for say "All 1.8.5 versions prior to patch 231". Does anyone know how to correlate the two?

You can run this from the command line to get the patch level: ruby -e
'puts(RUBY_PATCHLEVEL)'

Best. Mike

Michael Breen wrote:

You can run this from the command line to get the patch level: ruby -e 'puts(RUBY_PATCHLEVEL)'

Best. Mike

that's true, but my understanding was that although my ubuntu ruby 1.8.6 says it's at patch level 111, it is in fact patched against the vulnerability

so, I believe I'm safe even though...

matthew@ruBuntu:~$ ruby -e 'puts(RUBY_PATCHLEVEL)' 111 matthew@ruBuntu:~$ ruby --version ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux]

Matthew Rudy Jacobs wrote:

Michael Breen wrote:

You can run this from the command line to get the patch level: ruby -e 'puts(RUBY_PATCHLEVEL)'

Best. Mike

Thanks Mike, actually I did try that already but got an error

C:\Documents and Settings\Bob>ruby -e 'puts(RUBY_PATCHLEVEL)' -e:1: uninitialized constant RUBY_PATCHLEVEL (NameError)

Any other ideas? Much appreciated.

that's true, but my understanding was that although my ubuntu ruby 1.8.6 says it's at patch level 111, it is in fact patched against the vulnerability

Bug #241657 “Multiple vulnerabilities in Ruby may lead to a deni...” : Hardy (8.04) : Bugs : ruby1.8 package : Ubuntu

so, I believe I'm safe even though...

matthew@ruBuntu:~$ ruby -e 'puts(RUBY_PATCHLEVEL)' 111 matthew@ruBuntu:~$ ruby --version ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux]

Matthew,

On Windows, the ruby --version command doesn't even show patch level C:\Documents and Settings\Bob>ruby --version ruby 1.8.5 (2006-08-25) [i386-mswin32]

what about from irb? (I don't have windows so I can't test this for you)

>> puts RUBY_PATCHLEVEL 111 => nil

Michael Breen wrote:

what about from irb? (I don't have windows so I can't test this for you)

>> puts RUBY_PATCHLEVEL 111 => nil >>

*Sigh* same result unfortunately uninitialized constant. Is the Ruby on Windows that different that Linux?

Michael Breen wrote:

what about from irb? (I don't have windows so I can't test this for
you)

puts RUBY_PATCHLEVEL

111 => nil

*Sigh* same result unfortunately uninitialized constant. Is the Ruby
on Windows that different that Linux?

I'm guessing that Ruby 1.8.5 on windows didn't set this environment
variable?

This might be a great question for the new RoR on Windows google group.

Sorry I couldn't be more helpful.

Best. Mike

Michael Breen wrote: