Can't find Ruby patch level

55 views
Skip to first unread message

Bob Ngu

unread,
Jun 29, 2008, 12:18:23 PM6/29/08
to Ruby on Rails Windows
I heard from a couple of sources about Ruby security concerns, quoting
from
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

The official Ruby blog is reporting “multiple vulnerabilities” in the
official Ruby interpreter (MRI). A significant number of versions are
affected:

* All versions prior to 1.8.5
* All 1.8.5 versions prior to patch 231
* All 1.8.6 versions prior to patch 230
* All 1.8.7 versions prior to patch 22
* All 1.9.0 versions prior to 1.9.0-2

I believe my Ruby is version 1.8.5.32-2, and 32-2 is the build #?
However, I have no idea what that means in terms of patch # as listed
above for say "All 1.8.5 versions prior to patch 231". Does anyone
know how to correlate the two?

Here's what I have tried based on suggestions...
Matthew Rudy Jacobs wrote:
> Michael Breen wrote:
>> You can run this from the command line to get the patch level: ruby -e
>> 'puts(RUBY_PATCHLEVEL)'
>>
>> Best.
>> Mike
>
Thanks Mike, actually I did try that already but got an error

C:\Documents and Settings\Bob>ruby -e 'puts(RUBY_PATCHLEVEL)'
-e:1: uninitialized constant RUBY_PATCHLEVEL (NameError)

Any other ideas? Much appreciated.

> that's true,
> but my understanding was that although my ubuntu ruby 1.8.6 says it's at
> patch level 111, it is in fact patched against the vulnerability
>
> https://bugs.launchpad.net/ubuntu/hardy/+source/ruby1.8/+bug/241657
>
> so, I believe I'm safe even though...
>
> matthew@ruBuntu:~$ ruby -e 'puts(RUBY_PATCHLEVEL)'
> 111
> matthew@ruBuntu:~$ ruby --version
> ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux]

Michael Breen wrote:
> what about from irb? (I don't have windows so I can't test this for you)
>
> >> puts RUBY_PATCHLEVEL
> 111
> => nil
> >>

*Sigh* same result unfortunately uninitialized constant. Is Ruby on
Windows that different than Linux?

Any other ideas?

bill walton

unread,
Jun 29, 2008, 4:11:29 PM6/29/08
to Ruby on Rails Windows
Hi Bob,

On Jun 29, 11:18 am, Bob Ngu <bob_...@yahoo.com> wrote:
> I believe my Ruby is version 1.8.5.32-2, and 32-2 is the build #?
> However, I have no idea what that means in terms of patch # as listed
> above for say "All 1.8.5 versions prior to patch 231". Does anyone
> know how to correlate the two?

I'm not sure where you're getting the build#. Assuming ruby is in
your path, enter...

ruby -v

On my system (Instant Rails on XP) returns the version (1.8.6) and the
patchlevel (111).

C:\InstantRails-2.0\rails_apps>ruby -v
ruby 1.8.6 (2007-09-24 patchlevel 111) [i386-mswin32]

HTH,
Bill

Bob Ngu

unread,
Jun 29, 2008, 9:49:19 PM6/29/08
to Ruby on Rails Windows
Sadly, that was the first command I tried without any success
C:\Documents and Settings\Bob>ruby -v
ruby 1.8.5 (2006-08-25) [i386-mswin32]

I didn't use InstantRails though, I setup all the pieces separately
but I don't think that matters. It's probably the version of Ruby I am
using, perhaps prior to PATCHLEVEL being available?

Bob Ngu

unread,
Jun 30, 2008, 6:52:06 PM6/30/08
to Ruby on Rails Windows
BTW I got this response today from the Ruby forum that's actually
helpful

If you installed your ruby from one-click installer, it's vulnerable
(There's no OCI for p231 yet, and most probably never will be)
If you installed your ruby more than two weeks ago (today is
6/30/2008), it's vulnerable
(I.e. your ruby must be newer than the annoucement).
Note that some of the versions you listed are broken, so please read
through recent posts to determine which version do you really want.
Reply all
Reply to author
Forward
0 new messages