Ruby 1.8.6-p230/1.8.7 broke your app? Ruby Enterprise Edition to the rescue!
For those who don’t know, a number of security vulnerabilities in Ruby have recently been discovered. Affected Ruby versions are:
- All versions prior to 1.8.5
- All 1.8.5 versions prior to patch 231
- All 1.8.6 versions prior to patch 230
- All 1.8.7 versions prior to patch 22
- All 1.9.0 versions prior to 1.9.0-2
The CVE links on the Ruby website don’t disclose any information on the vulnerabilities, but Peter Cooper from RubyInside has posted more details.
Unfortunately, Ruby 1.8.7 is incompatible with all Rails versions prior to 2.1, according to the official Rails blog. Ruby 1.8.6-p230 isn’t much better: it breaks a number of applications and libraries. For example, Frédéric de Villamil, author of the well-known Typo blogging software, hosts a number of Typo blogs, and they have all been broken by the 1.8.6-p230 update.
Needless to say, nobody wants to choose between “leaving a security hole wide open” and “my apps don’t work”.
Ruby Enterprise Edition to the rescue
We released Ruby Enterprise Edition 1.8.6-20080621 yesterday, which is based on Ruby 1.8.6-p230. This breaks some apps.
Today we backported the security patches to Ruby 1.8.6-p111, and made a special Ruby Enterprise Edition release based on that. This release:
- doesn’t break your apps since it’s based on p111. Frédéric is happily running it on his production servers right now.
- doesn’t suffer from the security vulnerabilities.
- works with your exiting Mongrel setup. Ruby Enterprise Edition works best in combination with Phusion Passenger, but you don’t have to go for that combo.
- includes the usual Ruby Enterprise Edition features, such as reduced memory usage and improved performance.
- comes with an easy-to-install source tarball (which includes an installer).
- comes with an Ubuntu 8.04 package. For convenience, this packages bundle many common gems so that you don’t have to (re)install them manually. Multiple Rails versions are included. The full gem list is:
actionmailer (2.1.0, 2.0.2, 1.3.6, 1.2.5) actionpack (2.1.0, 2.0.2, 1.13.6, 1.12.5) actionwebservice (1.2.6, 1.1.6) activerecord (2.1.0, 2.0.2, 1.15.6, 1.14.4) activeresource (2.1.0, 2.0.2) activesupport (2.1.0, 2.0.2, 1.4.4, 1.3.1) cgi_multipart_eof_fix (2.5.0) daemons (1.0.10) eventmachine (0.12.0) fastthread (1.0.1) gem_plugin (0.2.3) haml (2.0.0) hpricot (0.6) mongrel (1.1.5) mongrel_cluster (1.0.5) mysql (2.7) passenger (1.9.1) postgres (0.7.9.2008.01.28) rack (0.3.0) rails (2.1.0, 2.0.2, 1.2.6, 1.1.6) rake (0.8.1) rspec (1.1.4) sqlite3-ruby (1.2.2) thin (0.8.1)
Download & usage
You can download it from the Ruby Enterprise Edition website.
Everything in Ruby Enterprise Edition is self-contained, and switching to Ruby Enterprise Edition is only a matter of changing the commands that you normally run. In other words, if you’re using Mongrel on your production servers, then type:
/opt/ruby-enterprise-x.x.x/bin/ruby -S mongrel_rails cluster::start
instead of:
mongrel_rails cluster::start
Comments
Leave a comment
-
Hello, we are Phusion. We provide amazing Ruby & Rails products and services to companies that shape our modern day culture.
Learn more
Phusion. All rights reserved.
You guys definitely rock. Seriously.
Thanks for releasing this.
However, many of us need to run stock MRI and are looking for a working patch set for p111.
I cannot figure out how to get a diff of the changes you’ve made between these two releases because your download.php program makes it impossible to access old versions of your code.
Can you please publish a diff of your backport against p111?
Can you also please join us in discussing this at ruby-talk or on the thread at http://www.ruby-forum.com/topic/157034 ?
Thank you.
-igal
Sure. Here’s the patch: http://blog.phusion.nl/assets/r8ee-security-patch-20080623.txt
I’m now joining the discussion at ruby-talk.
Diffing this release and the last release of Ruby Enterprise Edition wouldn’t have been very useful, because the last version was based on 1.8.6-p230.
Awesome, thanks for posting your patch and joining the discussion at ruby-talk.
For completeness sake, here’s my reply:
Hongli Lai wrote:
> The relevant patch is available at: http://tinyurl.com/5b493c
Thanks for the quick response and for publishing the patch. However, are
you sure you got all the files? Your patch is the most comprehensive
I’ve seen, but isn’t it missing the fixes to things like eval.c, file.c
and bignum.c?
> It’s based on the FreeBSD patch set.
As far as I can tell, you and Stas at FreeBSD were patching different
files. E.g., you patched io.c, while he didn’t seem to. However, I feel
like I don’t understand how to use the FreeBSD website because I can
only see find his patches to string.c and sprintf.c, but none of the
others, so if someone can explain how to find the rest, that’d be great.
-igal
PS: And many thanks for the awesome work on Phusion Passenger and Ruby
EE.
Awesome. Is there an easy way to upgrade an existing install, or should I just download the tarball andrerun the installation procedure ?
Just download the tarball and rerun the installation procedure.
Awesome! It still bugs me why the Ruby Core Team didn’t use your changes yet.
Thanks a ton guys. You are so very awesome
[...] need to jump to Phusion Passenger, given that their Ruby Enterprise Edition claims to have applied the security patches to MRE 1.8.6 p111, and thus doesn’t introduce the segfault-inducing breaking features that [...]
Yeah, because of your attentiveness to this, I’m even more convinced it’s time to move to Passenger. In the meantime though before I switch, I was going to try and use your ruby edition for my current mongrel setup. Anyone else tackle this yet and have success?
If you go with Ruby Enterprise Edition out of the box you will need to reinstall any gems you need correct? Because Ruby Enterprise seems to recreate the gems environment alongside where it installed ruby. Also you’ll need to change mongrel_rails probably? Or reinstall mongrel since it created a mongrel_rails that’s pointing to the old version of ruby on your system? (e.g. #!/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/bin/ruby)
You can use Ruby Enterprise Edition with your existing Mongrel setup. See the updated post for instructions.
You don’t have to reinstall your gems. Since the last version, Ruby Enterprise Edition’s RubyGems will also look in the gem search path of your system’s RubyGems installation.
Is there something I need to setup to get Ruby EE to search the original system gems? Because sudo gem list now just returns the list of gems that Ruby EE installed. And /opt/ruby-enterprise-x.x.x/bin/ruby -S mongrel_rails start is complaining about missing gems that obviously exist in my normal gems directory.
is it just me or are other people having problems with sqlite3? I get no such file to load — sqlite3/database using ruby 1.8.6p230, ruby ee 20080620, and ruby ee 20080624. It works fine on ruby 1.8.6p111 and when I fallback to ruby ee 20080507.
@Nate: No, that happens automatically. If it failed to detect your Ruby installation for whatever reason, then you can also use the GEM_PATH environment variable:
‘gem list’ doesn’t show your system’s gems, but that’s normal. I don’t know why RubyGems behaves like that. But requiring gems in your apps will work fine. For example:
@clouder: Indeed. It’s a permission problem, though I’m not sure what causes it. Just make sure the relevant files in your sqlite3 gem folder have read permission.
How do you get Passenger to load with the new GEM_PATH that you showed how to do?
Anybody getting a [BUG] Bus Error when using this version with Passenger? Switched from using the bundled ruby with Mac OS X to REE and getting this error:
”’
/opt/ruby-enterprise-1.8.6-20080624/lib/ruby/gems/1.8/gems/passenger-1.9.1/ext/passenger/native_support.bundle: [BUG] Bus Error
ruby 1.8.6 (2007-09-24) [i686-darwin9.3.0]
”’
Can’t confirm if this also happened on earlier versions of REE.
[...] the next day, they brought out a new version which was merged with ruby-1.8.6-p111 with the current security fixes backported. Well, so far so [...]
Thanks so much for this. Switching from our existing Ruby installation to this couldn’t have been any easier unless you’d logged in and done it for me.
This replacement for mongrel_rails cluster::start did not quite work for me. The reason is that newly installed enterprise ruby is not in PATH and mongrel_cluster gem executes it’s commands to launch instances, it picks up a regular installation.
To work around this I’ve added a short script /opt/mongrel_rails and used it to launch clusters.
@hongli: what are the relevant files? just all of them?
@chalkers: Are you talking about the backport patch? Latest version is here: http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
@hongli: the sqlite3/database issue clouder had.
Fixed it
cd /opt/ruby-enterprise-1.8.6-20080624/lib/ruby/gems/1.8/gems/sqlite3-ruby-1.2.2/lib/sqlite3
sudo chmod +r *
Destroyed my Mac OS version of ruby trying to update the security vulnerability. Why do we hate readline so much. Thank god for you guys. I was seriously thinking I was going to need to do a fresh install to overcome whatever I had done.
I would like to echo the question by Harned:
How do you get Passenger to load with the new GEM_PATH that you showed how to do?
Perhaps he should have been clearer…How do you get Passenger to load with the new GEM_PATH while working in conjunction with Ruby Enterprise Edition?
Can this be set using Apache’s SetEnv directive? I tried doing this:
SetEnv GEM_PATH /usr/lib/ruby/gems/1.8
But that doesn’t work either…if I point PassengerRuby at:
/usr/bin/ruby
My application starts up…otherwise, it can’t find the gems I require in my environment file.
Any ideas about fixing this? I am using the patched version of REE and Passenger 2.0.1
Thanks…
It turns out that the issue of missing gems was easily fixed by changing:
RailsSpawnMethod smart
to
RailsSpawnMethod conservative
I’m getting the same error Menno mentioned:
/opt/local/lib/ruby/gems/1.8/gems/passenger-2.0.2/ext/passenger/native_support.bundle: [BUG] Bus Error
ruby 1.8.7 (2008-06-20 patchlevel 22) [powerpc-darwin9]
Any clues?
I also have the same error that both Menno and Eric commented on:
/opt/ruby-enterprise-1.8.6-20080709/lib/ruby/gems/1.8/gems/passenger-2.0.2/ext/passenger/native_support.bundle: [BUG] Bus Error
ruby 1.8.6 (2008-03-03) [i686-darwin9.4.0]
I was having trouble getting Ruby EE to pick up my existing gems. I tried exporting my gem path but that didn’t seem to do the trick. What did work is going into the ruby EE install directory and doing ./gem install haml (repeating for each gem in use). I didn’t remove the gem installed with MRI so perhaps that’s causing the issue/confusion?
it would be better with other languages support, but thanks..
The same here on Mac OS Leopard
/usr/local/ruby-enterprise/lib/ruby/gems/1.8/gems/passenger-2.0.3/ext/passenger/native_support.bundle: [BUG] Bus Error
ruby 1.8.6 (2008-08-08) [i686-darwin9.4.0]