OpenSSL versions in Ruby

14 views
Skip to first unread message

Jamie Orchard-Hays

unread,
Apr 10, 2014, 4:59:02 PM4/10/14
to railsmachin...@googlegroups.com
Today I discovered that releases of Ruby prior to this week have the heartbleed-vulnerable versions of OpenSSL linked.

What are the ramifications of this if we're connecting to anything using SSL with Ruby, if any.

Also, which of the Major/Minor versions does Moonshine currently support?

I'd love to move up to 2.1.1, but IIRC there were Puppet issues with > 2.0.x

Cheers,

Jamie

Kevin Lawver

unread,
Apr 10, 2014, 5:01:28 PM4/10/14
to railsmachin...@googlegroups.com
We're not planning on moving to 2.1 until 2.1.2 comes out because of some GC issues and Hash issues in 2.1.0 and 2.1.1.

The heartbleed vulnerability is with people connecting to you, not you connecting to other people, and I'm assuming you're using Apache to handle your SSL things, so unless you've found a CVE that says otherwise, heartbleed shouldn't apply to ruby at all.
> --
> You received this message because you are subscribed to the Google Groups "Moonshine" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to railsmachine-moon...@googlegroups.com.
> To post to this group, send email to railsmachin...@googlegroups.com.
> Visit this group at http://groups.google.com/group/railsmachine-moonshine.
> For more options, visit https://groups.google.com/d/optout.

Jamie Orchard-Hays

unread,
Apr 10, 2014, 5:19:42 PM4/10/14
to railsmachin...@googlegroups.com
Thanks, Kevin. That was my understanding, but I wanted a sanity check.

So, 1.9.3 or 2.0.x? I've been on 1.9.3, but want to get up to the 2.x world soon.

Jamie

Kevin Lawver

unread,
Apr 11, 2014, 8:05:37 AM4/11/14
to railsmachin...@googlegroups.com
We haven't noticed a huge difference between 1.9.3 and 2.0 in the apps we've upgraded to, but I don't see a reason not to upgrade.

Jarin Udom

unread,
May 2, 2014, 11:03:06 AM5/2/14
to railsmachin...@googlegroups.com
I haven't put it into production yet, but I've tested it with Vagrant and Moonshine seems to work ok with Ruby 2.1.1. Here's what I put in my deploy.rb (I set rubygems and bundler to higher versions too):

namespace :ruby do
  task :src211 do
    remove_ruby_from_apt
    libyaml.install
    pv = "2.1.1"
    p = "ruby-#{pv}"
    run [
      'cd /tmp',
      "sudo rm -rf #{p}* || true",
      'sudo mkdir -p /usr/lib/ruby/gems/2.1.1/gems || true',
      "tar xzf #{p}.tar.gz",
      "cd /tmp/#{p}",
      './configure --prefix=/usr',
      'make',
      'sudo make install'
    ].join(' && ')
    set :rubygems_version, fetch(:rubygems_version, '2.2.2')
    set :bundler_version, fetch(:bundler_version, '1.6.2')
  end
end

You also need to change this line in vendor/plugins/moonshine/lib/moonshine/capistrano_integration.rb from
            sudo 'gem install rake --no-rdoc --no-ri' unless fetch(:ruby).start_with?('src200')
to
            sudo 'gem install rake --no-rdoc --no-ri' unless fetch(:ruby).start_with?('src2')
or else it will try to install rake and stall during cap ruby:upgrade.

I haven't checked out the GC/Hash issues that Kevin pointed out, but I believe they're fixed in Github's Ruby fork: https://github.com/github/ruby

Jarin
Reply all
Reply to author
Forward
0 new messages