RubyInstaller and OpenSSL version 1.0.1h

66 views
Skip to first unread message

Serdar Sutay

unread,
Jun 9, 2014, 12:46:37 PM6/9/14
to rubyin...@googlegroups.com
Hey folks, 

RubyInstaller contains OpenSSL version "OpenSSL 1.0.0k 5 Feb 2013" which contains the recently announced security vulnerability:


I know the RubyInstaller policy is not to do new releases when there is a vulnerability in the downstream components. Do you guys have any instructions on how can we patch included OpenSSL manually to 1.0.0m or 1.0.1h

I've found some binaries here (http://slproweb.com/products/Win32OpenSSL.html) but wasn't able to find a way to integrate them with RubyInstaller. 

Any help is appreciated. 

Thanks,
Serdar

Luis Lavena

unread,
Jun 9, 2014, 1:02:25 PM6/9/14
to rubyin...@googlegroups.com
Hello,

On Mon, Jun 9, 2014 at 1:46 PM, Serdar Sutay <ser...@opscode.com> wrote:
Hey folks, 

RubyInstaller contains OpenSSL version "OpenSSL 1.0.0k 5 Feb 2013" which contains the recently announced security vulnerability:


I know the RubyInstaller policy is not to do new releases when there is a vulnerability in the downstream components. Do you guys have any instructions on how can we patch included OpenSSL manually to 1.0.0m or 1.0.1h


Please see previous 1.0.0m Knapsack package release notes:


You only need to update DLL files found in the bin directory of the package.
 
I've found some binaries here (http://slproweb.com/products/Win32OpenSSL.html) but wasn't able to find a way to integrate them with RubyInstaller. 


You should not be using other DLLs since the build tools might not be the same.

--
Luis Lavena
AREA 17
-
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry

Serdar Sutay

unread,
Jun 9, 2014, 1:16:29 PM6/9/14
to rubyin...@googlegroups.com
Awesome. Thanks for the help Luis. Sorry I missed the original post. 

-- Serdar
Reply all
Reply to author
Forward
0 new messages