toggle

AAPL Stock: 493.42 ( + 0.25 )

Apple tech discovers Ruby security hole

updated 04:15 pm EDT, Fri June 20, 2008

Apple tech finds Ruby hole


An Apple technician has identified a vulnerability in the Ruby development platform, a security warning explains. Drew Yao of the Apple Product Security team is said to have discovered multiple arbitrary code vulnerabilities, which if exploited could be used to run a denial-of-service attack, or other local means of undermining a system. The vulnerabilities only impact specific versions of Ruby 1.8.4 through 1.8.7, and 1.9.

Ruby 1.8 users can fix the problem by upgrading to 1.8.5-p231, 1.8.6-p230 or 1.8.7-p22, while v1.9 users must switch to 1.9.0-2. These updates also address a WEBrick vulnerability.

Mac OS X Leopard includes Ruby on Rails, a Ruby-based framework meant to speed up web development.


by MacNN Staff

toggle

Comments

  1. WiseWeasel

    Fresh-Faced Recruit

    Joined: Apr 1999

    +2

    how to fix...

    I was running 10.5.2, and I was vulnerable (yeah, I really need to update my lazy a** to 10.5.3...). If you follow the link in the story, you can see which patchlevel of ruby you need to be safe. You can check which patchlevel of ruby you have installed by launching the Terminal.app (in your utilities folder), and typing "ruby --version". Mine was reported as "ruby 1.8.6 (2007-09-24 patchlevel 111)". The article says that for ruby 1.8.6, anything below patchlevel 230 is vulnerable, therefore, I had to download and install ruby 1.8.6 p230 to fix this vulnerability. I'm sure Apple will have an automated fix ready soon, but that's how you close the hole now.

  1. WiseWeasel

    Fresh-Faced Recruit

    Joined: Apr 1999

    +3

    how to fix...

    Actually, there's no OS X installer, so you have to update ruby the old-fashioned way. You have to have the Developer Tools installed (so you have gcc installed). Then you have to (in the Terminal), change to your superuser (admin) account if you aren't logged in as an admin (type "su " - note the space - and then your admin username, and hit enter, and enter your admin password and hit enter. Then you have to cd to the new ruby directory you just downloaded and uncompressed (type "cd " - note the space after 'cd' - and then drag the ruby folder onto the terminal window, and hit enter). Then you enter the following commands and hit enter after each one, and wait until it's finished before doing the next one:
    "sudo ./configure"
    "sudo make"
    "sudo make install"
    That should do it, and you should be all set with the new version, as can be verified by typing "ruby --version" again.

    Comment buried. Show
  1. Guest

    Fresh-Faced Recruit

    Joined: Nov 1999

    -10

    Your retarded weasel

    Just use your software update to update ruby

  1. WiseWeasel

    Fresh-Faced Recruit

    Joined: Apr 1999

    +3

    woops

    Don't I feel dumb. Note to self, check SU before following the story link to the geek blog posting...

  1. Deakin

    Fresh-Faced Recruit

    Joined: Mar 2005

    +4

    SU doesn't update Ruby

    I'm at 1.8.6 (2007-03-13 patchlevel 0) and Software Updates doesn't offer any update. So thanks WiseWeasel, I'll follow your instructions as soon as I have time.

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

10 Most Read

Recent Reviews

Logitech Cube

The world of mice could often be described charitably as stagnant: it's an endless sea of ergonomic shapes that assume you're sitting ...

NewerTech and Targus USB Hubs For Gifts

A useful holiday present to resolve an ongoing frustration is a multi-port hub. Whether as a stocking stuffer, Chanukah present, or an ...

X-Rite ColorMunki Photo

Color calibration is the art of tweaking your monitor so that the colors represented on screen better match real life and your printer ...

toggle

Most Commented

10 Most Discussed