Change effective on 23 November 2013
Ruby (MRI) is patched to address a security vulnerability disclosed this morning for MRI 1.8.7, 1.9.2, 1.9.3, 2.0.0 (CVE-2013-4164). Rubinius and JRuby are unaffected.
The new versions are Ruby 1.8.7p375, 1.9.2p321, 1.9.3p484 and 2.0.0p353. Action must be taken to utilize these versions; please upgrade as soon as possible. These releases are only available on our Cedar stack. If your application is on our Bamboo stack, please see the note below.
We believe this is limited to a denial of service vulnerability. Any Ruby application that parses JSON from an untrusted source can potentially be made to crash with little difficulty. There is also a slim theoretical possibility of a much more serious vulnerability, an Arbitrary Code Execution. We would like to stress that there are no known Proofs of Concept and this is purely theoretical, but can not be ruled out.
To protect yourself, you’ll need to push a new commit to your app, which will cause a deploy. If you don’t want to push any actual changes, this commit can be empty:
$ git commit --allow-empty -m "upgrade ruby version" $ git push heroku master
After the deploy run this command to verify you have a secure version of Ruby by running:
$ heroku run "ruby -v"
You should see one of the following versions:
Ruby 1.8.7p375 (2013-11-22 revision 375) [x86_64-linux] Ruby 1.9.2p321 (2013-11-22 revision 321) [x86_64-linux] Ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux] Ruby 2.0.0p353 (2013-11-22 revision 43784) [x86_64-linux]
For Bamboo applications, all operating system libraries are based on Debian 5.0. Support for this version, including security updates, was discontinued by the Debian project in February 2011. Given the obsolescence of the underlying libraries, we have made the difficult decision to NOT release a patch for today’s vulnerability for Bamboo. All Bamboo users are strongly urged to begin migrating your application to Cedar as soon as possible.