Omnibus Ruby Version


#1

Does anyone know if the ruby version in the omnibus installers is going to
be upgraded to 2.1.6? I am not sure how big of an issue this is:
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

I would like to submit a PR for this, but I am not really sure what to
change and in which repos – any information would be appreciated.

-Ryan H.


#2

Hey Ryan,
thanks for the note. The short answer is that we don’t feel it’s a
particularly bad bug; there’s a very limited set of circumstances that
would enable someone to exploit this. The longer answer is that we should
have updated for 12.3.0, but I didn’t realise we weren’t up to date until
it went out.
I’ve just created https://github.com/chef/omnibus-chef/pull/381 to update
to 2.1.6, and we’ll pick this up for chef in 12.4.0 (or 12.3.1 if there’s a
need to do a point release) in a couple of weeks.
Thanks again,
-Thom

On Thu, Apr 30, 2015 at 7:19 AM, Ryan Hass ryan@invalidchecksum.net wrote:

Does anyone know if the ruby version in the omnibus installers is going to
be upgraded to 2.1.6? I am not sure how big of an issue this is:
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

I would like to submit a PR for this, but I am not really sure what to
change and in which repos – any information would be appreciated.

-Ryan H.