Correlate Ruby version/build with patch number

I heard from a couple of sources about Ruby security concerns, quoting
from
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

The official Ruby blog is reporting “multiple vulnerabilities” in the
official Ruby interpreter (MRI). A significant number of versions are
affected:

    * All versions prior to 1.8.5
    * All 1.8.5 versions prior to patch 231
    * All 1.8.6 versions prior to patch 230
    * All 1.8.7 versions prior to patch 22
    * All 1.9.0 versions prior to 1.9.0-2

I believe my Ruby is version 1.8.5.32-2, and 32-2 is the build #?
However, I have no idea what that means in terms of patch # as listed
above for say "All 1.8.5 versions prior to patch 231". Does anyone know
how to correlate the two?

You can run this from the command line to get the patch level: ruby -e
'puts(RUBY_PATCHLEVEL)'

Best.
Mike

Michael Breen wrote:

You can run this from the command line to get the patch level: ruby -e
'puts(RUBY_PATCHLEVEL)'

Best.
Mike

that's true,
but my understanding was that although my ubuntu ruby 1.8.6 says it's at
patch level 111, it is in fact patched against the vulnerability

https://bugs.launchpad.net/ubuntu/hardy/+source/ruby1.8/+bug/241657

so, I believe I'm safe even though...

matthew@ruBuntu:~$ ruby -e 'puts(RUBY_PATCHLEVEL)'
111
matthew@ruBuntu:~$ ruby --version
ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux]

Matthew Rudy Jacobs wrote:

Michael Breen wrote:

You can run this from the command line to get the patch level: ruby -e
'puts(RUBY_PATCHLEVEL)'

Best.
Mike

Thanks Mike, actually I did try that already but got an error

C:\Documents and Settings\Bob>ruby -e 'puts(RUBY_PATCHLEVEL)'
-e:1: uninitialized constant RUBY_PATCHLEVEL (NameError)

Any other ideas? Much appreciated.

that's true,
but my understanding was that although my ubuntu ruby 1.8.6 says it's at
patch level 111, it is in fact patched against the vulnerability

https://bugs.launchpad.net/ubuntu/hardy/+source/ruby1.8/+bug/241657

so, I believe I'm safe even though...

matthew@ruBuntu:~$ ruby -e 'puts(RUBY_PATCHLEVEL)'
111
matthew@ruBuntu:~$ ruby --version
ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux]

Matthew,

On Windows, the ruby --version command doesn't even show patch level
C:\Documents and Settings\Bob>ruby --version
ruby 1.8.5 (2006-08-25) [i386-mswin32]

what about from irb? (I don't have windows so I can't test this for you)

>> puts RUBY_PATCHLEVEL
111
=> nil

Michael Breen wrote:

what about from irb? (I don't have windows so I can't test this for you)

>> puts RUBY_PATCHLEVEL
111
=> nil
>>

*Sigh* same result unfortunately uninitialized constant. Is the Ruby on
Windows that different that Linux?

Michael Breen wrote:

what about from irb? (I don't have windows so I can't test this for
you)

puts RUBY_PATCHLEVEL

111
=> nil

*Sigh* same result unfortunately uninitialized constant. Is the Ruby
on
Windows that different that Linux?

I'm guessing that Ruby 1.8.5 on windows didn't set this environment
variable?

This might be a great question for the new RoR on Windows google group.

Sorry I couldn't be more helpful.

Best.
Mike

Michael Breen wrote: