Ruby Security Bug
Posted by Blue Box Group on Tue Jun 09 22:36:00 UTC 2009
A recent ruby security bug was announced this afternoon affecting almost all but the most recent versions of Ruby. Details on the announcement can be found here:
http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby
We are in the process of updating our RPMs for our customers using our CentOS Rails stack. We will post in this blog when those RPMs are available for customers to update.
For Ubuntu/Debian customers, we recommend applying the work-arounds listed in the article until the patched versions hit the vendor repos.
We will keep this post updated with more information as it becomes available.
Update Wednesday @ 1:10 AM (Wed Jun 10 08:10:22 UTC 2009) - We have rebuilt our RPMS with Ruby 1.8.6-p369. These are going into testing now and are available for any customer who desires to have them before we complete our tests immediately. We expect to have the final versions pushed out into our yum repo by end of business today. If you wish to use the test versions, please contact support and we will get you a URL.
Update Wednesday @ 9:28 AM (Wed Jun 10 16:28:10 UTC 2009) - Our rebuilt packages have gone through preliminary testing and appear to be working well. We’ve pushed them out to all our internal slices and are running on them now.
To update, complete the following steps:
1) Confirm you’re using our RPM stack. This can be done by completing the following. If you see the bbg-rails-stack there, you’re using our RPM. If you don’t, contact us for assistance.
bbg-rails-stack-1.3-2
2) If so, you should be able to update with a simple yum command. If you’re not, please contact our support department for assistance.
3) When that’s done, you can confirm the update worked one of two ways:
ruby 1.8.6 (2009-06-08 patchlevel 369) [x86_64-linux]
$ ruby -e ‘require “bigdecimal”; BigDecimal(“E99999999”).to_s(“F”); puts “OK For: CVE-2009-1904”’
OK For: CVE-2009-1904
If your version strings don’t match the above, or you get a Seg Fault when running that Ruby test, the update didn’t work.
4) Restart your application. For this change to take affect, you need to restart your application. If you’re using Mongrel, restarting the processes will be fine. If you’re using Passenger, you’ll want to restart Apache or Nginx to restart the Passenger daemons.
If you can’t update your Ruby version for any reason, the Rails core team has listed a few temporary fixes you can try. Those are listed here:
http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby
If you have any questions, please do let us know!
- Blue Box Tech Support
(Web only post)
THE LATEST
THE ARCHIVES
- July 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
