Ruby exploits are becoming more common. When one is found, it is often necessary to upgrade the Ruby in your Ruby-on-Rails stack to the latest patch version to mitigate the vulnerability du jour. If you are using RVM, here’s how you do it:
1) Verify the latest, stable version of Ruby currently available for download at ruby-lang.org
Note the version number.
2) Check your current version of ruby.
$ rvm list
=* ruby-2.0.0-p247 [ x86_64 ]
3) Download and upgrade to the latest, stable version of RVM
$ rvm get stable
4) List the versions of Ruby that RVM knows about.
$ rvm list known
You are looking for the “MRI Rubies” section-scroll up to find it. Then ensure the Ruby version you found in step one is in the list:
[ruby-]2.0.0[-p353]
5) Upgrade Ruby by passing in the name of your current version and the top-level version number.
rvm <your_current_version> 2.0.0
$ rvm upgrade 2.0.0-p247 2.0.0
You should see a confirmation message appear:
Are you sure you wish to upgrade from ruby-2.0.0-p247 to ruby-2.0.0-p353? (Y/n):
6) Select Yes to comments the upgrade. It may take some time to complete, as Ruby must be downloaded and compile, but finish without incident. Note that the installer will also offer to move your gems to the new version, while deleting them from the old version. It will also offer to move your aliases and wrappers. For convenience sake, its advisable to accept these choices.
Are you sure you wish to MOVE gems from ruby-2.0.0-p247 to ruby-2.0.0-p353?
This will overwrite existing gems in ruby-2.0.0-p353 and remove them from ruby-2.0.0-p247 (Y/n):
Do you wish to move over aliases? (Y/n): y
Do you wish to move over wrappers? (Y/n): y
7) Removing old, vulnerable version of Ruby.
It is also advisable to allow the installer to remove the older version of Ruby:
Do you also wish to completely remove ruby-2.0.0-p247 (inc. archive)? (Y/n):
Removing ruby-2.0.0-p247……..
8) If all has gone as expected, you will see a confirmation message.
Successfully migrated ruby-2.0.0-p247 to ruby-2.0.0-p353
Upgrade complete!
9) Set the upgraded version of Ruby as your RVM default.
$ rvm –default use 2.0.0
10) Verify you are running the new, patched version of Ruby:
$ rvm list
=* ruby-2.0.0-p353 [ x86_64 ]