macnn
06/20/2008, 4:15pm, EDT
Friday, June 20th
Apple tech discovers Ruby security hole
An Apple technician has identified a vulnerability in the Ruby development platform, a security warning explains. Drew Yao of the Apple Product Security team is said to have discovered multiple arbitrary code vulnerabilities, which if exploited could be used to run a denial-of-service attack, or other local means of undermining a system. The vulnerabilities only impact specific versions of Ruby 1.8.4 through 1.8.7, and 1.9.
Ruby 1.8 users can fix the problem by upgrading to 1.8.5-p231, 1.8.6-p230 or 1.8.7-p22, while v1.9 users must switch to 1.9.0-2. These updates also address a WEBrick vulnerability.
Mac OS X Leopard includes Ruby on Rails, a Ruby-based framework meant to speed up web development.
Filed under: security, developer, Apple
Other story tags: Ruby
,
, 5
,
,
,
,
,
,

subscribe to comments
for this article
how to fix...
I was running 10.5.2, and I was vulnerable (yeah, I really need to update my lazy ass to 10.5.3...). If you follow the link in the story, you can see which patchlevel of ruby you need to be safe. You can check which patchlevel of ruby you have installed by launching the Terminal.app (in your utilities folder), and typing "ruby --version". Mine was reported as "ruby 1.8.6 (2007-09-24 patchlevel 111)". The article says that for ruby 1.8.6, anything below patchlevel 230 is vulnerable, therefore, I had to download and install ruby 1.8.6 p230 to fix this vulnerability. I'm sure Apple will have an automated fix ready soon, but that's how you close the hole now.
how to fix...
Actually, there's no OS X installer, so you have to update ruby the old-fashioned way. You have to have the Developer Tools installed (so you have gcc installed). Then you have to (in the Terminal), change to your superuser (admin) account if you aren't logged in as an admin (type "su " - note the space - and then your admin username, and hit enter, and enter your admin password and hit enter. Then you have to cd to the new ruby directory you just downloaded and uncompressed (type "cd " - note the space after 'cd' - and then drag the ruby folder onto the terminal window, and hit enter). Then you enter the following commands and hit enter after each one, and wait until it's finished before doing the next one:
"sudo ./configure"
"sudo make"
"sudo make install"
That should do it, and you should be all set with the new version, as can be verified by typing "ruby --version" again.
Your retarded weasel
Just use your software update to update ruby
woops
Don't I feel dumb. Note to self, check SU before following the story link to the geek blog posting...
SU doesn't update Ruby
I'm at 1.8.6 (2007-03-13 patchlevel 0) and Software Updates doesn't offer any update. So thanks WiseWeasel, I'll follow your instructions as soon as I have time.