One of my application is running on Heroku. Recently I got a email from Heroku explaining possible threat in existing ruby versions. It says –
You are receiving this email because you run at least one Ruby (MRI) application on Heroku.
Early this morning, the Ruby project announced a security vulnerability in MRI 1.8.7, 1.9.2, 1.9.3, 2.0.0. The CVE identifier is CVE-2013-4164. Rubinius and JRuby are unaffected.
We believe this is limited to a denial of service vulnerability. Any Ruby application that parses JSON from an untrusted source can potentially be made to crash with little difficulty. There is also a slim theoretical possibility of a much more serious vulnerability, an Arbitrary Code Execution. We would like to stress that there are no known Proofs of Concept and this is purely theoretical, but can not be ruled out.
In response, we have released Ruby 1.8.7p375, 1.9.2p321, 1.9.3p484 and 2.0.0p353 which closes this attack vulnerability. Please upgrade as soon as possible .
Upgrade on Heroku will take place automatically when you deploy any changes to it. To see what version Heroku using for your application run below command
$ heroku run “ruby -v” -a APPNAME # it will show the current ruby
To upgrade ruby version on heroku, just make an empty commit , so that Heroku trigger new deploy and will update the version itself.
$ git commit –allow-empty -m “upgrade ruby version”
$ git push heroku master
Anyway, our main goal here is to ruby upgrade on other server or local machine which is using RVM. You can do it with below simple steps.
STEP 1 : check the current ruby used by your machine
$ ruby -v
ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux]
O.K show we are using 1.9.3p125 i,e patch 125 version of ruby, which is vulnerable to threat as per the above finding in the email. We need to upgrade it to patch 484 which have the security fix.
STEP 2: check current ruby versions supported by your RVM
$rvm list known
# MRI Rubies
O.K, so it do not show patch 484, so you need to upgrade your RVM first
STEP 3: Upgrading RVM to current stable version
$ rvm get stable
STEP 4: Again check current ruby versions supported by your RVM
$rvm list known
# MRI Rubies
So now, our RVM have the currently released patches for all the versions
STEP 5 : Upgrading the ruby version
$ rvm upgrade 1.9.2-p125 1.9.3-p484 # it will upgrade the current version 1.9.2-p125 to 1.9.3-p484, infact you can upgrade it to any version
Are you sure you wish to upgrade from ruby-1.9.3-p125 to ruby-1.9.3-p484? (Y/n): # press Y
Are you sure you wish to MOVE gems from ruby-1.9.3-p125 to ruby-1.9.3-p484?
This will overwrite existing gems in ruby-1.9.3-p484 and remove them from ruby-1.9.3-p125 (Y/n): y #press Y
Moving ruby-1.9.3-p125 to ruby-1.9.3-p484
Making gemset ruby-1.9.3-p484 pristine….
take 10 to 15 minute depending on your connection
=> keep pressing Y, when ever it ask you. press n only if you want to configure something yourself. But I suggest to go with the default as it work smoothly for me
=> If you have installed passenger on server with passenger gem, you need to reinstall it, as your gemset location has changed from ruby-1.9.3-p125 to ruby-1.9.3-p484