Jano Svitok
6/30/2008 10:39:00 PM
On Mon, Jun 30, 2008 at 19:39, Cali Wildman
<caliwildman2004-info@yahoo.com> wrote:
> I have Ruby 1.8.5 on Windows XP and unable to identify the patch level
> for that release. I have tried the following commands without success
> * ruby -e 'puts(RUBY_PATCHLEVEL)' gives uninitialized constant
> * ruby -v does not show patch level
> * from irb: puts RUBY_PATCHLEVEL gives uninitialized constant
>
> The reason I am doing this is because of this...
> The official Ruby blog is reporting "multiple vulnerabilities" in the
> official Ruby interpreter (MRI). A significant number of versions are
> affected:
>
> * All versions prior to 1.8.5
> * All 1.8.5 versions prior to patch 231
> * All 1.8.6 versions prior to patch 230
> * All 1.8.7 versions prior to patch 22
> * All 1.9.0 versions prior to 1.9.0-2
>
> I am thinking that my version of Ruby predates PATCHLEVEL var? If so, is
> there a way to perhaps correlate the date of the Ruby package with a
> patch level? Thanks in advance for your help.
If you installed your ruby from one-click installer, it's vulnerable
(There's no OCI for p231 yet, and most probably never will be)
If you installed your ruby more than two weeks ago, it's vulnerable
(I.e. your ruby must be newer than the annoucement).
Note that some of the versions you listed are broken, so please read
through recent posts to determine which version do you really want.
J.