As you’re likely already aware, a denial of service (DoS) vulnerability in Ruby’s BigDecimal library was . Patching options include:
- Replacing your current ruby installation with a
- to patch the code and then updating your application to load the patch.
The latter approach only postpones the inevitable, so I opted for the former. If you’re using the , it’s a simple call to aptitude update. However, if you’ve installed from source, this presents a few challenges.
The upgrade is actually quite straightforward. According to the , you simply need to run the over top of your previous installation. This includes specifying the exact same directory name that you used to install the previous version.
As you may know, REE installs by default into /opt/ruby-enterprise-1.8.6-<year_month_day_release>. However, after completing this, you’re left with a directory name that doesn’t reflect what’s actually installed in there. If you’ve a little neurotic like I am, you’re going to want to rename that directory. However, be careful. Your configuration is likely pointing to the directory that you want to rename, so you’ll have to remember to update your apache/nginx configuration to reflect this.
When we install REE we create a symlink at /opt/ruby which points to the version of ruby that we want passenger to run. This allows us to quickly swap in/out different versions of ruby for testing/upgrading/etc.
Considering we have dozens of client applications running on distinct servers each with their own versions of REE installed, I decided to write a script to minimize the manual effort required to upgrade several production servers.
#!/bin/sh # Author: John Trupiano # Script to upgrade an REE installation on a hot server and maintain sane directory names if [ "$(whoami)" != "root" ]; then echo "You need to be root to run this!" exit 2 fi RF_RELEASE=58677 REE_VERSION=20090610 REE=ruby-enterprise-1.8.6-$REE_VERSION URL=http://rubyforge.org/frs/download.php/$RF_RELEASE/$REE.tar.gz # Determine what the most recent version of REE is that is installed MOST_RECENT_REE_VERSION=`ls /opt | awk -F"-" '$4 > max && $2 == "enterprise" { max=$4; maxline=$0 }; END { print max }'` MOST_RECENT_REE=ruby-enterprise-1.8.6-$MOST_RECENT_REE_VERSION WORKING_DIR=/root/src echo "Going to update $MOST_RECENT_REE to $REE" echo "Back up previous release" cp -R /opt/$MOST_RECENT_REE /opt/$MOST_RECENT_REE.bak echo "Download new release" mkdir -p $WORKING_DIR cd $WORKING_DIR && wget $URL echo "Untar and install over the previous release for 'upgrade' according to REE manual" tar xzf $REE.tar.gz ./$REE/installer --auto /opt/$MOST_RECENT_REE echo "Shuffle folder names to remain sane" mv /opt/$MOST_RECENT_REE /opt/$REE && mv /opt/$MOST_RECENT_REE.bak /opt/$MOST_RECENT_REE echo "Actually symlink in the new version of REE" rm /opt/ruby && ln -s /opt/$REE /opt/ruby echo "Clean up after ourselves" rm -f $WORKING_DIR/$REE
Simply upload this script to your server, su – up to root and run it. Then restart apache/nginx so that passenger will pick up the new version of ruby. All of your gems will be maintained, and your most recent version of REE will remain in tact at /opt/ruby-enterprise-1.8.6-<old_version> in case you need it again.
The download location has been changed, REE can no longer be downloaded from ree.com, it’s hosted here instead:
I’m unsure if the “58677″ wil change from one release to the next one.
Thanks maia, I have updated the script and the gist.
You are correct in that future releases of REE will change the rubyforge release id number. I have pulled it out into its own variable up top so that this script is easy to modify for new releases of REE.