«

I have Ruby 1.8.5 on Windows XP and unable to identify the patch level
for that release. I have tried the following commands without success
* ruby -e 'puts(RUBY_PATCHLEVEL)' gives uninitialized constant
* ruby -v does not show patch level
* from irb: puts RUBY_PATCHLEVEL gives uninitialized constant

The reason I am doing this is because of this...
The official Ruby blog is reporting “multiple vulnerabilities� in the
official Ruby interpreter (MRI). A significant number of versions are
affected:

* All versions prior to 1.8.5
* All 1.8.5 versions prior to patch 231
* All 1.8.6 versions prior to patch 230
* All 1.8.7 versions prior to patch 22
* All 1.9.0 versions prior to 1.9.0-2

I am thinking that my version of Ruby predates PATCHLEVEL var? If so, is
there a way to perhaps correlate the date of the Ruby package with a
patch level? Thanks in advance for your help.
--
Posted via http://www.ruby-forum.com/.

For my WinXP installation (1.8.6 one-click installer):

C:\>ruby --version
ruby 1.8.6 (2007-09-24 patchlevel 111) [i386-mswin32]

YMMV

Dave

--
Posted via http://www.ruby-forum.com/.

On Mon, Jun 30, 2008 at 19:39, Cali Wildman
<caliwildman2004-> wrote:
> I have Ruby 1.8.5 on Windows XP and unable to identify the patch level
> for that release. I have tried the following commands without success
> * ruby -e 'puts(RUBY_PATCHLEVEL)' gives uninitialized constant
> * ruby -v does not show patch level
> * from irb: puts RUBY_PATCHLEVEL gives uninitialized constant
>
> The reason I am doing this is because of this...
> The official Ruby blog is reporting "multiple vulnerabilities" in the
> official Ruby interpreter (MRI). A significant number of versions are
> affected:
>
> * All versions prior to 1.8.5
> * All 1.8.5 versions prior to patch 231
> * All 1.8.6 versions prior to patch 230
> * All 1.8.7 versions prior to patch 22
> * All 1.9.0 versions prior to 1.9.0-2
>
> I am thinking that my version of Ruby predates PATCHLEVEL var? If so, is
> there a way to perhaps correlate the date of the Ruby package with a
> patch level? Thanks in advance for your help.

If you installed your ruby from one-click installer, it's vulnerable
(There's no OCI for p231 yet, and most probably never will be)
If you installed your ruby more than two weeks ago, it's vulnerable
(I.e. your ruby must be newer than the annoucement).
Note that some of the versions you listed are broken, so please read
through recent posts to determine which version do you really want.

J.

Dave Bass wrote:
> For my WinXP installation (1.8.6 one-click installer):
>
> C:\>ruby --version
> ruby 1.8.6 (2007-09-24 patchlevel 111) [i386-mswin32]
>
> YMMV
>
> Dave

ruby --version is the same as ruby -v, it doesn't give me a patch level.
--
Posted via http://www.ruby-forum.com/.

Jano Svitok wrote:
> On Mon, Jun 30, 2008 at 19:39, Cali Wildman
> <caliwildman2004-> wrote:
>>
>> * All versions prior to 1.8.5
>> * All 1.8.5 versions prior to patch 231
>> * All 1.8.6 versions prior to patch 230
>> * All 1.8.7 versions prior to patch 22
>> * All 1.9.0 versions prior to 1.9.0-2
>>
>> I am thinking that my version of Ruby predates PATCHLEVEL var? If so, is
>> there a way to perhaps correlate the date of the Ruby package with a
>> patch level? Thanks in advance for your help.
>
> If you installed your ruby from one-click installer, it's vulnerable
> (There's no OCI for p231 yet, and most probably never will be)
> If you installed your ruby more than two weeks ago, it's vulnerable
> (I.e. your ruby must be newer than the annoucement).
> Note that some of the versions you listed are broken, so please read
> through recent posts to determine which version do you really want.
>
> J.

Thanks Jano, that's helpful, my Ruby installation was from Jan 2007 so
it's vulnerable. I will read through the recent posts to determine the
appropriate version.
--
Posted via http://www.ruby-forum.com/.