Hya folks
I'm introducing Ruby to my workplace and tried installing it on our
server. We're using RHEL and the most recent Ruby binary package we
have in the repos is 1.8.1 (yikes indeed).
So the question is: what's the source tarball we should use to build a
Ruby 1.8.4[1] that is both stable and has all the patches applied?
I found the tarball of the official 1.8.4 release[2], in the "stable"
directory of the ftp.ruby-lang.org. Unfortunately, its dated
24/12/2005 and seems to be the original release, with none of the
patches applied. My admin googled some critical security patches like
[3], realized they were not included in the above tarball, and freaked
out.
Thanks!
-Chris
P.S. I already posted this question to the general Ruby ML and got no
replies.
Chris Pearl wrote:
Hya folks
I'm introducing Ruby to my workplace and tried installing it on our
server. We're using RHEL and the most recent Ruby binary package we
have in the repos is 1.8.1 (yikes indeed).
Here's ruby 1.8.4 package for RHEL 4 that I'm using in production:
ftp://eos.openintegra.com/rhel/4/backports/i386/ruby-1.8.4-1.el4.oi.i386.rpm
Chris Pearl wrote:
So the question is: what's the source tarball we should use to build a
Ruby 1.8.4[1] that is both stable and has all the patches applied?
I found the tarball of the official 1.8.4 release[2], in the "stable"
directory of the ftp.ruby-lang.org. Unfortunately, its dated
24/12/2005 and seems to be the original release, with none of the
patches applied. My admin googled some critical security patches like
[3], realized they were not included in the above tarball, and freaked
out.
[1] We're installing 1.8.4 as it's the recommended Ruby version
for Rails installations on the official download page:
http://www.rubyonrails.com/down
[2] ftp://ftp.ruby-lang.org/pub/ruby/stable/ruby-1.8.4.tar.gz
[3]
[SECURITY] Fedora Core 5 Update: ruby-1.8.4-8.fc5
Well, this is an interesting kettle of fish. This page:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029
contains the worrying quote "currently the upstream does not plan to
release patches", so it does look like there isn't and won't be any
official Ruby release that contains these kinds of patches.
I wonder why not. Is the Ruby team not interested in maintaining old
versions in general, or is it just that they don't consider these to be
major security problems? Could be a question worth pursuing on the Ruby
Core list.
Anyway, it looks like your choices are: (a) apply the patches yourself;
(b) find a Linux distribution that's made these changes and get the
source from them; or (c) install the updated Red Hat RPM manually.
Chris
Thanks Sava and Chris.
Indeed, installing a patched Ruby 1.8.4 turned out to be surprisingly
difficult, definitely a lot more than it should be.
Considering how the official Rails' download page[1] links directly to
the initial, unpatched releases, and the staggering amount of
difficulty involved in obtaining and (if lucky) installing patched
Ruby, one would imagine a horde of exploitable Rails servers, just
waiting to be h4x0r3d...
I suppose the Core Ruby team may profess to be uninterested in the old
1.8.4 branch, which is "only" interesting for Rails, while the current
official, stable branch is 1.8.5. However, the 1.8.5 is afflicted with
the same issue: prominent links to the initial unpatched point release,
and obscure, hard to find path for installing the patches and/or fully
patched version. Making it all to easy for people to run unpatched,
exploitable Ruby instances.
I guess I should raise it in the Rails Core ML unless someone better
qualified than me will do so.
-Chris
Chris Pearl wrote:
I suppose the Core Ruby team may profess to be uninterested in the old
1.8.4 branch, which is "only" interesting for Rails, while the current
official, stable branch is 1.8.5. However, the 1.8.5 is afflicted with
the same issue: prominent links to the initial unpatched point release,
and obscure, hard to find path for installing the patches and/or fully
patched version. Making it all to easy for people to run unpatched,
exploitable Ruby instances.
Yeah. Having had a brief look around, I can't find any evidence of
official security releases from the Ruby maintainers, only downstream
patches in individual distros. Unless I'm missing something, this does
seem glaringly wrong.
I guess I should raise it in the Rails Core ML unless someone better
qualified than me will do so.
Go for it. Can't do any harm, and it'd be good to get some
clarification on the situation either way.
Chris
