Phusion white papers Phusion overview

Ruby 1.8.6-p230/1.8.7 broke your app? Ruby Enterprise Edition to the rescue!

By Hongli Lai on June 23rd, 2008

For those who don’t know, a number of security vulnerabilities in Ruby have recently been discovered. Affected Ruby versions are:

  • All versions prior to 1.8.5
  • All 1.8.5 versions prior to patch 231
  • All 1.8.6 versions prior to patch 230
  • All 1.8.7 versions prior to patch 22
  • All 1.9.0 versions prior to 1.9.0-2

The CVE links on the Ruby website don’t disclose any information on the vulnerabilities, but Peter Cooper from RubyInside has posted more details.

Unfortunately, Ruby 1.8.7 is incompatible with all Rails versions prior to 2.1, according to the official Rails blog. Ruby 1.8.6-p230 isn’t much better: it breaks a number of applications and libraries. For example, Frédéric de Villamil, author of the well-known Typo blogging software, hosts a number of Typo blogs, and they have all been broken by the 1.8.6-p230 update.

Needless to say, nobody wants to choose between “leaving a security hole wide open” and “my apps don’t work”.

Ruby Enterprise Edition to the rescue

We released Ruby Enterprise Edition 1.8.6-20080621 yesterday, which is based on Ruby 1.8.6-p230. This breaks some apps.

Today we backported the security patches to Ruby 1.8.6-p111, and made a special Ruby Enterprise Edition release based on that. This release:

  • doesn’t break your apps since it’s based on p111. Frédéric is happily running it on his production servers right now.
  • doesn’t suffer from the security vulnerabilities.
  • works with your exiting Mongrel setup. Ruby Enterprise Edition works best in combination with Phusion Passenger, but you don’t have to go for that combo.
  • includes the usual Ruby Enterprise Edition features, such as reduced memory usage and improved performance.
  • comes with an easy-to-install source tarball (which includes an installer).
  • comes with an Ubuntu 8.04 package. For convenience, this packages bundle many common gems so that you don’t have to (re)install them manually. Multiple Rails versions are included. The full gem list is:
    actionmailer (2.1.0, 2.0.2, 1.3.6, 1.2.5)
    actionpack (2.1.0, 2.0.2, 1.13.6, 1.12.5)
    actionwebservice (1.2.6, 1.1.6)
    activerecord (2.1.0, 2.0.2, 1.15.6, 1.14.4)
    activeresource (2.1.0, 2.0.2)
    activesupport (2.1.0, 2.0.2, 1.4.4, 1.3.1)
    cgi_multipart_eof_fix (2.5.0)
    daemons (1.0.10)
    eventmachine (0.12.0)
    fastthread (1.0.1)
    gem_plugin (0.2.3)
    haml (2.0.0)
    hpricot (0.6)
    mongrel (1.1.5)
    mongrel_cluster (1.0.5)
    mysql (2.7)
    passenger (1.9.1)
    postgres (0.7.9.2008.01.28)
    rack (0.3.0)
    rails (2.1.0, 2.0.2, 1.2.6, 1.1.6)
    rake (0.8.1)
    rspec (1.1.4)
    sqlite3-ruby (1.2.2)
    thin (0.8.1)

Download & usage

You can download it from the Ruby Enterprise Edition website.

Everything in Ruby Enterprise Edition is self-contained, and switching to Ruby Enterprise Edition is only a matter of changing the commands that you normally run. In other words, if you’re using Mongrel on your production servers, then type:

/opt/ruby-enterprise-x.x.x/bin/ruby -S mongrel_rails cluster::start

instead of:

mongrel_rails cluster::start
  • http://christophemaximin.com Christophe Maximin

    You guys definitely rock. Seriously.

  • http://automateit.org/ Igal Koshevoy

    Thanks for releasing this.

    However, many of us need to run stock MRI and are looking for a working patch set for p111.

    I cannot figure out how to get a diff of the changes you’ve made between these two releases because your download.php program makes it impossible to access old versions of your code.

    Can you please publish a diff of your backport against p111?

    Can you also please join us in discussing this at ruby-talk or on the thread at http://www.ruby-forum.com/topic/157034 ?

    Thank you.

    -igal

  • http://www.phusion.nl/ hongli

    Sure. Here’s the patch: http://blog.phusion.nl/assets/r8ee-security-patch-20080623.txt
    I’m now joining the discussion at ruby-talk.

    Diffing this release and the last release of Ruby Enterprise Edition wouldn’t have been very useful, because the last version was based on 1.8.6-p230. :)

  • http://automateit.org/ Igal Koshevoy

    Awesome, thanks for posting your patch and joining the discussion at ruby-talk.

    For completeness sake, here’s my reply:

    Hongli Lai wrote:
    > The relevant patch is available at: http://tinyurl.com/5b493c
    Thanks for the quick response and for publishing the patch. However, are
    you sure you got all the files? Your patch is the most comprehensive
    I’ve seen, but isn’t it missing the fixes to things like eval.c, file.c
    and bignum.c?

    > It’s based on the FreeBSD patch set.
    As far as I can tell, you and Stas at FreeBSD were patching different
    files. E.g., you patched io.c, while he didn’t seem to. However, I feel
    like I don’t understand how to use the FreeBSD website because I can
    only see find his patches to string.c and sprintf.c, but none of the
    others, so if someone can explain how to find the rest, that’d be great.

    -igal

    PS: And many thanks for the awesome work on Phusion Passenger and Ruby
    EE.

  • Alan Francis

    Awesome. Is there an easy way to upgrade an existing install, or should I just download the tarball andrerun the installation procedure ?

  • http://www.phusion.nl/ hongli

    Just download the tarball and rerun the installation procedure.

  • http://www.akitaonrails.com AkitaOnRails

    Awesome! It still bugs me why the Ruby Core Team didn’t use your changes yet.

  • Brian

    Thanks a ton guys. You are so very awesome :)

  • Pingback: Solutions for Ruby vulnerabilities » Common Media, Inc.()

  • Nate

    Yeah, because of your attentiveness to this, I’m even more convinced it’s time to move to Passenger. In the meantime though before I switch, I was going to try and use your ruby edition for my current mongrel setup. Anyone else tackle this yet and have success?

    If you go with Ruby Enterprise Edition out of the box you will need to reinstall any gems you need correct? Because Ruby Enterprise seems to recreate the gems environment alongside where it installed ruby. Also you’ll need to change mongrel_rails probably? Or reinstall mongrel since it created a mongrel_rails that’s pointing to the old version of ruby on your system? (e.g. #!/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/bin/ruby)

  • http://www.phusion.nl/ hongli

    You can use Ruby Enterprise Edition with your existing Mongrel setup. See the updated post for instructions.

    You don’t have to reinstall your gems. Since the last version, Ruby Enterprise Edition’s RubyGems will also look in the gem search path of your system’s RubyGems installation.

  • Nate

    Is there something I need to setup to get Ruby EE to search the original system gems? Because sudo gem list now just returns the list of gems that Ruby EE installed. And /opt/ruby-enterprise-x.x.x/bin/ruby -S mongrel_rails start is complaining about missing gems that obviously exist in my normal gems directory.

  • clouder

    is it just me or are other people having problems with sqlite3? I get no such file to load — sqlite3/database using ruby 1.8.6p230, ruby ee 20080620, and ruby ee 20080624. It works fine on ruby 1.8.6p111 and when I fallback to ruby ee 20080507.

  • http://www.phusion.nl/ hongli

    @Nate: No, that happens automatically. If it failed to detect your Ruby installation for whatever reason, then you can also use the GEM_PATH environment variable:

    export GEM_PATH=`/usr/bin/gem env gempath`

    ‘gem list’ doesn’t show your system’s gems, but that’s normal. I don’t know why RubyGems behaves like that. But requiring gems in your apps will work fine. For example:

    # gem install tzinfo
    ...
    # /opt/ruby-enterprise/bin/irb
    >> require 'rubygems'
    => true
    >> gem 'tzinfo'
    => true
  • http://www.phusion.nl/ hongli

    @clouder: Indeed. It’s a permission problem, though I’m not sure what causes it. Just make sure the relevant files in your sqlite3 gem folder have read permission.

  • Hamed

    How do you get Passenger to load with the new GEM_PATH that you showed how to do?

  • http://wakoopa.com Menno

    Anybody getting a [BUG] Bus Error when using this version with Passenger? Switched from using the bundled ruby with Mac OS X to REE and getting this error:

    ”’
    /opt/ruby-enterprise-1.8.6-20080624/lib/ruby/gems/1.8/gems/passenger-1.9.1/ext/passenger/native_support.bundle: [BUG] Bus Error
    ruby 1.8.6 (2007-09-24) [i686-darwin9.3.0]
    ”’

    Can’t confirm if this also happened on earlier versions of REE.

  • Pingback: [Now]labs » Blog Archive » Ruby via Phusion()

  • Michele

    Thanks so much for this. Switching from our existing Ruby installation to this couldn’t have been any easier unless you’d logged in and done it for me.

  • http://redleafsoft.com Sergei Serdyuk
    /opt/ruby-enterprise-x.x.x/bin/ruby -S mongrel_rails cluster::start

    This replacement for mongrel_rails cluster::start did not quite work for me. The reason is that newly installed enterprise ruby is not in PATH and mongrel_cluster gem executes it’s commands to launch instances, it picks up a regular installation.

    To work around this I’ve added a short script /opt/mongrel_rails and used it to launch clusters.

    #/bin/bash
    PATH=/opt/ruby-enterprise-1.8.6-20080624/bin:$PATH
    export PATH
    mongrel_rails $@
  • http://andrew.chalkley.org chalkers

    @hongli: what are the relevant files? just all of them?

  • http://www.phusion.nl/ hongli

    @chalkers: Are you talking about the backport patch? Latest version is here: http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt

  • http://andrew.chalkley.org chalkers

    @hongli: the sqlite3/database issue clouder had.

  • http://andrew.chalkley.org chalkers

    Fixed it

    cd /opt/ruby-enterprise-1.8.6-20080624/lib/ruby/gems/1.8/gems/sqlite3-ruby-1.2.2/lib/sqlite3
    sudo chmod +r *

  • http://matthewbergman.com Matthew Bergman

    Destroyed my Mac OS version of ruby trying to update the security vulnerability. Why do we hate readline so much. Thank god for you guys. I was seriously thinking I was going to need to do a fresh install to overcome whatever I had done.

  • http://www.pollstacks.com Ryan Kuykendall

    I would like to echo the question by Harned:

    How do you get Passenger to load with the new GEM_PATH that you showed how to do?

    Perhaps he should have been clearer…How do you get Passenger to load with the new GEM_PATH while working in conjunction with Ruby Enterprise Edition?

    Can this be set using Apache’s SetEnv directive? I tried doing this:

    SetEnv GEM_PATH /usr/lib/ruby/gems/1.8

    But that doesn’t work either…if I point PassengerRuby at:

    /usr/bin/ruby

    My application starts up…otherwise, it can’t find the gems I require in my environment file.

    Any ideas about fixing this? I am using the patched version of REE and Passenger 2.0.1

    Thanks…

  • http://www.pollstacks.com Ryan Kuykendall

    It turns out that the issue of missing gems was easily fixed by changing:

    RailsSpawnMethod smart

    to

    RailsSpawnMethod conservative

  • Eric

    I’m getting the same error Menno mentioned:

    /opt/local/lib/ruby/gems/1.8/gems/passenger-2.0.2/ext/passenger/native_support.bundle: [BUG] Bus Error
    ruby 1.8.7 (2008-06-20 patchlevel 22) [powerpc-darwin9]

    Any clues?

  • Stephen Heuer

    I also have the same error that both Menno and Eric commented on:

    /opt/ruby-enterprise-1.8.6-20080709/lib/ruby/gems/1.8/gems/passenger-2.0.2/ext/passenger/native_support.bundle: [BUG] Bus Error
    ruby 1.8.6 (2008-03-03) [i686-darwin9.4.0]

  • http://iqueryable.com/ Steve

    I was having trouble getting Ruby EE to pick up my existing gems. I tried exporting my gem path but that didn’t seem to do the trick. What did work is going into the ruby EE install directory and doing ./gem install haml (repeating for each gem in use). I didn’t remove the gem installed with MRI so perhaps that’s causing the issue/confusion?

  • http://www.desk-egitim.com/index.php?ust=menu5&sol=menu5&orta=okul&okul=2 lsi

    it would be better with other languages support, but thanks..

  • Yves

    The same here on Mac OS Leopard

    /usr/local/ruby-enterprise/lib/ruby/gems/1.8/gems/passenger-2.0.3/ext/passenger/native_support.bundle: [BUG] Bus Error
    ruby 1.8.6 (2008-08-08) [i686-darwin9.4.0]