For those who don’t know, a number of security vulnerabilities in Ruby have recently been discovered. Affected Ruby versions are:
- All versions prior to 1.8.5
- All 1.8.5 versions prior to patch 231
- All 1.8.6 versions prior to patch 230
- All 1.8.7 versions prior to patch 22
- All 1.9.0 versions prior to 1.9.0-2
The CVE links on the Ruby website don’t disclose any information on the vulnerabilities, but Peter Cooper from RubyInside has posted more details.
Unfortunately, Ruby 1.8.7 is incompatible with all Rails versions prior to 2.1, according to the official Rails blog. Ruby 1.8.6-p230 isn’t much better: it breaks a number of applications and libraries. For example, Frédéric de Villamil, author of the well-known Typo blogging software, hosts a number of Typo blogs, and they have all been broken by the 1.8.6-p230 update.
Needless to say, nobody wants to choose between “leaving a security hole wide open” and “my apps don’t work”.
Ruby Enterprise Edition to the rescue
We released Ruby Enterprise Edition 1.8.6-20080621 yesterday, which is based on Ruby 1.8.6-p230. This breaks some apps.
Today we backported the security patches to Ruby 1.8.6-p111, and made a special Ruby Enterprise Edition release based on that. This release:
- doesn’t break your apps since it’s based on p111. Frédéric is happily running it on his production servers right now.
- doesn’t suffer from the security vulnerabilities.
- works with your exiting Mongrel setup. Ruby Enterprise Edition works best in combination with Phusion Passenger, but you don’t have to go for that combo.
- includes the usual Ruby Enterprise Edition features, such as reduced memory usage and improved performance.
- comes with an easy-to-install source tarball (which includes an installer).
- comes with an Ubuntu 8.04 package. For convenience, this packages bundle many common gems so that you don’t have to (re)install them manually. Multiple Rails versions are included. The full gem list is:
actionmailer (2.1.0, 2.0.2, 1.3.6, 1.2.5) actionpack (2.1.0, 2.0.2, 1.13.6, 1.12.5) actionwebservice (1.2.6, 1.1.6) activerecord (2.1.0, 2.0.2, 1.15.6, 1.14.4) activeresource (2.1.0, 2.0.2) activesupport (2.1.0, 2.0.2, 1.4.4, 1.3.1) cgi_multipart_eof_fix (2.5.0) daemons (1.0.10) eventmachine (0.12.0) fastthread (1.0.1) gem_plugin (0.2.3) haml (2.0.0) hpricot (0.6) mongrel (1.1.5) mongrel_cluster (1.0.5) mysql (2.7) passenger (1.9.1) postgres (0.7.9.2008.01.28) rack (0.3.0) rails (2.1.0, 2.0.2, 1.2.6, 1.1.6) rake (0.8.1) rspec (1.1.4) sqlite3-ruby (1.2.2) thin (0.8.1)
Download & usage
Everything in Ruby Enterprise Edition is self-contained, and switching to Ruby Enterprise Edition is only a matter of changing the commands that you normally run. In other words, if you’re using Mongrel on your production servers, then type:
/opt/ruby-enterprise-x.x.x/bin/ruby -S mongrel_rails cluster::start