1

I 've downloaded Ruby 1.9.1 but am unsure as to where/how to install it. Or will Spiceworks update it?

5 Spice ups
2

SpiceWorks does not do updates to your system software. If you are referring to the Ruby package that is used by SpiceWorks itself this is part of the SW application package and you cannot modify it. Even if you managed to replace it with Ruby 1.9 that is a completely different code base (Ruby 1.8 and 1.9 come from completely different companies and projects and are not compatible!!!) SpiceWorks would simply fail to run.

What prompted you to download Ruby 1.9?

3

You can’t and don’t update the version of ruby Spiceworks is using.

Spiceworks will do this over time when they have had a chance to ensure it is stable and works well with there application.

4

Scott Alan Miller wrote:

What prompted you to download Ruby 1.9?

Read the post Secunia which is a vunrability scanner http://secunia.com/

5

Not a very good one if it is flagging that. Ruby 1.8 and Ruby 1.9 are physically different products. 1.9 is not simply a higher version of 1.8. I’d scrap that scanner based on that bad data. Major blunder.

6

Scott Alan Miller wrote:

Not a very good one if it is flagging that. Ruby 1.8 and Ruby 1.9 are physically different products. 1.9 is not simply a higher version of 1.8. I’d scrap that scanner based on that bad data. Major blunder.

But if 1.8 has vunrulbilities fixed in 1.9 then it works? regardless of being “diffrent products”

and also how can software be physical :stuck_out_tongue: im in a hyper mood today you may want to ignore, or kill me, shoot to kill :stuck_out_tongue:

7

I was going to reply right away yesterday but given I don’t know jack squat about ruby, I didn’t want to get ahead of myself. But for what it’s worth, I do value secunia as a trusted outlet for keeping up on zero days and what have you. I’ve also been pleased to use the PSI/CSI scanning tools for years now b/c they beat the heck out of MBSA in that they scan thousands of 3rd party apps. Not just M$-ware.

I checked their online database and all I could find are an XSS and DoS issue. Both rated less critical and with no CVE references. I wouldn’t worry about it. Yesterday in my infinite ignorance I was going to say you’ll need to wait for spiceworks to apply the patches to their product in future releases and you won’t be able to force the patch manually yourself.

I ran the online scanner on my SW server and it only found java issues. I’m running the CSI scanner just for the hay of it but it’s taking forever. I’ll probably report back next year. This server should be in the Smithsonian Institute in a big glass box.

@P1398: Can you post a screenshot of the secunia report indicating the spiceworks ruby-related vuln?

8

Ruby WEBrick Terminal Escape Sequences Weakness

Secunia Advisory: SA37949

9

akp982 wrote:

Scott Alan Miller wrote:

Not a very good one if it is flagging that. Ruby 1.8 and Ruby 1.9 are physically different products. 1.9 is not simply a higher version of 1.8. I’d scrap that scanner based on that bad data. Major blunder.

But if 1.8 has vunrulbilities fixed in 1.9 then it works? regardless of being “diffrent products”

and also how can software be physical :stuck_out_tongue: im in a hyper mood today you may want to ignore, or kill me, shoot to kill :stuck_out_tongue:

From different physical vendors?

But that’s kind of like saying what if I brought out my own product called SpiceWorks 5.0 and Secura just told people to install my product because the old one was old. WOuld mine fix bugs from the real one? Sure - simply because it didn’t have the original ones. ANy different product does that.

10

spiceuser wrote:

I was going to reply right away yesterday but given I don’t know jack squat about ruby, I didn’t want to get ahead of myself. But for what it’s worth, I do value secunia as a trusted outlet for keeping up on zero days and what have you. I’ve also been pleased to use the PSI/CSI scanning tools for years now b/c they beat the heck out of MBSA in that they scan thousands of 3rd party apps. Not just M$-ware.

I checked their online database and all I could find are an XSS and DoS issue. Both rated less critical and with no CVE references. I wouldn’t worry about it. Yesterday in my infinite ignorance I was going to say you’ll need to wait for spiceworks to apply the patches to their product in future releases and you won’t be able to force the patch manually yourself.

I ran the online scanner on my SW server and it only found java issues. I’m running the CSI scanner just for the hay of it but it’s taking forever. I’ll probably report back next year. This server should be in the Smithsonian Institute in a big glass box.

@P1398: Can you post a screenshot of the secunia report indicating the spiceworks ruby-related vuln?

Part of the issue, if it is really reporting this, is that it is picking up a vulnerability inside of another app. Since Ruby 1.8 and 1.9 are not compatible it isn’t a sensible alert. If it said “Ruby 1.8 EOL detected, consider your options” it would be better. But this assumes that the company is going to also rewrite any code that depends upon 1.8 as well. Not like Java where you just update and everything keeps working. Very dangerous message to give someone.

11

Okay this is even less critical than the 2 I pointed out. In fact it’s literally rated “not critical” =P

I’m pretty sure spiceworks can and probably will address this by way of the 1.8.6 patchlevel 388 update. But again, this is more an end-of-life issue than a real critical vuln. I’d say you can safely ignore it.

Ruby 1.8.6: Apply patchlevel 388:
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p388.zip

12

And, just for reference, Ruby 1.8 is NOT EOL according to the Ruby website. It is still the only version available across platforms. 1.9 is coming to replace it (they got the code base from another company) but isn’t ready yet. 1.8 remains the deployment standard for most non-Windows systems and any cross platform systems.

So the alert is actually incorrect in its statement about 1.8 as well.

Ruby 1.8.7 has actually been patched more recently than 1.9.1. So it’s is very much active. To quote Mark Twain: “The reports of my death are greatly exaggerated.”

13

spiceuser wrote:

Okay this is even less critical than the 2 I pointed out. In fact it’s literally rated “not critical” =P

I’m pretty sure spiceworks can and probably will address this by way of the 1.8.6 patchlevel 388 update. But again, this is more an end-of-life issue than a real critical vuln. I’d say you can safely ignore it.

Ruby 1.8.6: Apply patchlevel 388:
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p388.zip

1.8.6 has been superseded by 1.8.7.

14

Scott Alan Miller wrote:

1.8.6 has been superseded by 1.8.7.

Okay… but what is spiceworks running? Maybe I’m going about it the wrong way but when I checked my file versions they report 1.8.6. Either way 1.8.7 has a known issue (and corresponding patch) too.

Also, I think we’re reading into this way too much. They aren’t saying Ruby is dead or dying. They’re saying a component used in Ruby’s standard library has a known vulnerability. If an attacker can make injections into the WEBrick logs and then you review those logs via terminal (no spicehead ever will!) then they may be able to take advantage of weaknesses in terminal emulators. None of us need to worry about this in terms of the spiceworks app.

Let’s just go straight to the source. This was posted January 10th and can also be found right on the top of the front page of the ruby-lang.org website.
WEBrick has an Escape Sequence Injection vulnerability

I hope this doesn’t add to the confusion. But regardless, I trust secunia and don’t believe they’ve misinformed.

1.8.6.0.JPG
1.8.6.0.JPG744×383 44 KB
15

Best thing I can think off is…

How many people see this site? is it extenraly accessable?

In normal cases its internal people and no other than over VPN so there isnt much to worry about?

16

The info in the original post was that Secuna said that 1.8 is outdated, which is just not true. 1.8 and 1.9 are both current at this time. Maybe the post misrepresents Secuna but the statement that 1.8 is outdated cannot be made.

17

Yeah I’m not sure about how it’s represented in the scan results but the advisory it points to is accurate. 1.8 and 1.9 may be current just like Windows 7 may be current. But just like components and applications included/installed on Windows 7 can create vulns (think adobe and IE), so too can components included in Ruby, such as WEBrick logs. Windows 7 may be current but you still have to apply patches for bugs and vulns on occasion. Ruby 1.8.6, 1.8.7, and 1.9.1 may be current, but from the looks of it… you still have to apply patches from time to time. Even ruby-lang.org is saying this.

18

Oh yes, patches definitely need to be applied to any app. The version install has a needed patch but the 1.8 family is not deprecated or anything like that.

It’s a little confusing though to have it scanning inside other apps like SpiceWorks though. SpiceWorks doesn’t have a patch for that yet and Ruby itself is not officially installed.

Maybe it does not recommend the remediation. The original post implied many things that may not have actually been from Secuna itself.

19

Yeah it’s a pretty hardcore little scanning tool. Sometimes too hardcore. I think we’ve reached a convergence of the minds :slight_smile:

Have a great evening everyone!

edit: you have to realize this is an application vulnerability scanner in that it detects insecure application versions. SI in PSI/CSI stands for Software Inspector.

20

Yeah. It’s SpiceCorps Dallas tonight in just an hour!