Ruby 1.8.6-p230/1.8.7 broke your app? Ruby Enterprise Edition to the rescue!
For those who don’t know, a number of security vulnerabilities in Ruby have recently been discovered. Affected Ruby versions are:
- All versions prior to 1.8.5
- All 1.8.5 versions prior to patch 231
- All 1.8.6 versions prior to patch 230
- All 1.8.7 versions prior to patch 22
- All 1.9.0 versions prior to 1.9.0-2
The CVE links on the Ruby website don’t disclose any information on the vulnerabilities, but Peter Cooper from RubyInside has posted more details.
Unfortunately, Ruby 1.8.7 is incompatible with all Rails versions prior to 2.1, according to the official Rails blog. Ruby 1.8.6-p230 isn’t much better: it breaks a number of applications and libraries. For example, Frédéric de Villamil, author of the well-known Typo blogging software, hosts a number of Typo blogs, and they have all been broken by the 1.8.6-p230 update.
Needless to say, nobody wants to choose between “leaving a security hole wide open” and “my apps don’t work”.
Ruby Enterprise Edition to the rescue
We released Ruby Enterprise Edition 1.8.6-20080621 yesterday, which is based on Ruby 1.8.6-p230. This breaks some apps.
Today we backported the security patches to Ruby 1.8.6-p111, and made a special Ruby Enterprise Edition release based on that. This release:
- doesn’t break your apps since it’s based on p111. Frédéric is happily running it on his production servers right now.
- doesn’t suffer from the security vulnerabilities.
- works with your exiting Mongrel setup. Ruby Enterprise Edition works best in combination with Phusion Passenger, but you don’t have to go for that combo.
- includes the usual Ruby Enterprise Edition features, such as reduced memory usage and improved performance.
- comes with an easy-to-install source tarball (which includes an installer).
- comes with an Ubuntu 8.04 package. For convenience, this packages bundle many common gems so that you don’t have to (re)install them manually. Multiple Rails versions are included. The full gem list is:
actionmailer (2.1.0, 2.0.2, 1.3.6, 1.2.5) actionpack (2.1.0, 2.0.2, 1.13.6, 1.12.5) actionwebservice (1.2.6, 1.1.6) activerecord (2.1.0, 2.0.2, 1.15.6, 1.14.4) activeresource (2.1.0, 2.0.2) activesupport (2.1.0, 2.0.2, 1.4.4, 1.3.1) cgi_multipart_eof_fix (2.5.0) daemons (1.0.10) eventmachine (0.12.0) fastthread (1.0.1) gem_plugin (0.2.3) haml (2.0.0) hpricot (0.6) mongrel (1.1.5) mongrel_cluster (1.0.5) mysql (2.7) passenger (1.9.1) postgres (0.7.9.2008.01.28) rack (0.3.0) rails (2.1.0, 2.0.2, 1.2.6, 1.1.6) rake (0.8.1) rspec (1.1.4) sqlite3-ruby (1.2.2) thin (0.8.1)
Download & usage
You can download it from the Ruby Enterprise Edition website.
Everything in Ruby Enterprise Edition is self-contained, and switching to Ruby Enterprise Edition is only a matter of changing the commands that you normally run. In other words, if you’re using Mongrel on your production servers, then type:
/opt/ruby-enterprise-x.x.x/bin/ruby -S mongrel_rails cluster::start
instead of:
mongrel_rails cluster::start
-
Hello, we are Phusion. We provide amazing products and services for web apps written in Ruby, Python, Node.js and Meteor.
Featured articles
- Docker-friendly Vagrant boxes
- Duplicity + S3: easy, cheap, encrypted, automated full-disk backups for your servers
- Efficient Substring Searching
- Mail in 2012 from an admin’s perspective
- Making Ruby threadable: properly handling context switching in native extensions
- Objective-C for Ruby developers
- Passing environment variables to Ruby from Phusion Passenger
- Securely store passwords with bcrypt-ruby
- The right way to deal with frozen processes on Unix
- Tuning Phusion Passenger's concurrency settings
- Tutorial: setting up Gitlab on Debian 6
- Why Rails 4 Live Streaming is a big deal
Phusion. All rights reserved.