Accidental Technologist

Musings about Entrepreneurship, Technology and Software Development

  • Home
  • About
  • Still River Software
  • Privacy Policy

Powered by Genesis

You are here: Home / Ruby / Patching Ruby on Rails Refresher

Patching Ruby on Rails Refresher

September 4, 2009 by Rob Bazinet 4 Comments

Tweet

UPDATE: As one comment points out, it is not a good idea to directly patch production unless it was an emergency.  The normal state of patching would be to patch the source and make sure your tests still pass and likely to test on a staging environment.  The process to patch would still be the same as I describe below.

The recent XSS Vulnerability in Ruby on Rails discussed on the Ruby on Rails blog and discovered by Brian Mastenbrook, reminded me about patching my Rails applications which are running vendored.  If not doing this all the time, one can forget how it is done.

All of my production Rails applications keep a copy of Rails in the <application_root>/vendor/rails directory.  This just keeps me in check that I don’t upgrade Rails on a server and possibly break a production application.   The only minor drawback to this approach is when a patch is released, as with this XSS Vulnerability, you have to manually update the Rails installation for each application by hand.  If you don’t do it all the time, one can forget how it’s done.

Patching Rails

Getting and applying a patch is pretty simple.  The list of patches are listed as:

  • 2-0-CVE-2009-3009.patch – Patch for 2.0 series
  • 2-1-CVE-2009-3009.patch – Patch for 2.1 series
  • 2-2-CVE-2009-3009.patch – Patch for 2.2 series
  • 2-3-CVE-2009-3009.patch – Patch for 2.3 series

Follow 3 easy steps:

  1. cd <your_application_root>/vendor/rails
  2. wget http://weblog.rubyonrails.org/assets/2009/9/4/2-2-CVE-2009-3009.patch
  3. patch -p1 < 2-2-CVE-2009-3009.patch

You need to know the Rails version you are running vendored before you can determine which patch file to apply.  The simple way for me is to run script/about from <your_application_root>.  This displays the Rails version which you can then choose from the URL links above and replace the URL you need for the #2 wget command.

Depending on the security settings where the application is installed, the wget and patch may need to have a sudo inserted before the command.  I needed to do this my production servers but it would not be needed if patching a local project which would be later committed to source control.

Technorati Tags: Ruby on Rails,XSS Vulnerability,Patching

Share this:

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • More
  • Pinterest
  • Tumblr
  • Pocket
  • Reddit

Related

Filed Under: Ruby

Care about your privacy? I do and use Fathom Analytics on this site.

Fathom Analytics

Recent Posts

  • How to Fix Rails Flash Rendering When Using Hotwire
  • Hotwire Fix for CORS Error when using Omniauth
  • Fix Installation of Ruby using rbenv on macOS Big Sur
  • RailsConf 2021 and the Future of Conferences
  • Fixing Out of Diskspace Errors on Amazon EC2

Categories

Services I Love

HatchBox - Easy Rails Deploys Fathom Analytics
Follow @rbazinet

Rob Bazinet
@rbazinet

  • Exactly this…. https://t.co/yWj7fZ01HR
    about 1 day ago
  • https://t.co/EmagdpLoNv "Introducing GitHub Copilot X · GitHub"
    about 2 days ago
  • RIP Gordon Moore: https://t.co/c5J9LaHrj8
    about 2 days ago
  • Our daughter works as a teaching assistant at a local K-8 public school. It’s become apparent that students today r… https://t.co/p2t912GVyc
    about 2 days ago
  • Working to wrap up my current consulting gig by mid-April. I will be looking for the next thing soon. If anyone has… https://t.co/sg3cSV9yqM
    about 3 days ago
  • RSS - Posts
  • RSS - Comments
Find me on Mastodon