Patch your rubies
written by Steven on June 25, 2008
You probably have heard by now that there are some security issues with all the versions of Ruby and that you should upgrade your Ruby to get the fixes. The holes mainly involve buffer overruns and a particularly nasty vulnerability that only affects non-Unix based operating system. These effect Ruby versions 1.8.5, 1.8.6, 1.8.7 and 1.9.0. (Since I only use 1.8.6, that's all I'll talk about here.) The solution is to update 1.8.6 to version 1.8.6-230. Unfortunately p230 breaks rails and almost everything else running ruby. So what is a boy to do? Well Hong Li has come to the rescue. He has back ported the changes to p111 so the rest of us can apply his patch and secure our 1.8.6 machines at p111. The fix involves downloading Ruby 1.8.6-111, patching the source, compiling ruby and restarting your apps.
Here is how you do it:
- Run the following commands:
> wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p111.tar.gz > tar zxvf ruby-1.8.6-p111.tar.gz > cd ruby-1.8.6-p111 > wget http://blog.phusion.nl/assets/r8ee-security-patch-20080623.txt > patch -i r8ee-security-patch-20080623.txt > ./configure > make > sudo make install
- Restart you mongrels and any other Ruby applications.
- While patching I would get the following:
index 410cc6f..c8278b7 100644 |--- a/lib/webrick/httpservlet/filehandler.rb |+++ b/lib/webrick/httpservlet/filehandler.rb -------------------------- File to patch:
* Just give it this path: lib/webrick/httpservlet/filehandler.rb
- Sometimes the sudo make install would fail with an error:
/bin/sh: ./miniruby: No such file or directory
* Just run "make clean" and then ./configure, make, sudo make install again.
Thanks to Wilson Bilkovich for pointing me in the direction of Hong Li's patch.