Ruby on rails version 3.0.12 and rack version 1.2.5

software development

#1

Hi,

Recently there was a [url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5036]security advisory[/url] about hash table vulnerability reported against various companies/platforms. Ruby on rails released an update (3.0.12) which also needs update to rack gem (1.2.5).

Unfortunately, the phusion passenger on dreamhost currently runs rack 1.2.1 and this causes the infamous “already activated rack 1.2.1” error.

The solution would be to update the official (i.e. site-global) rack gem version on dreamhost to 1.2.5 . I raised a support ticket, but dreamhost responded with “you need private server” or use “fastCGI”. If more people raise this issue, hopefully they will update the gem. This is not a random feature upgrade, but a security update, so dreamhost should really implement it.

–journeyer


#2

What did you put in your support ticket? I want to submit a similar one.


#3

Here is the text of my ticket. But don’t have too high a hope, as they think it is not remotely exploitable and are advising to just run it using fastCGI (which worked for me )

Hello,

There was a rails security update today and after updating the rails
to
3.0.12 I am unable to start my application with the error: “You have
already
activated rack 1.2.1, but your Gemfile requires rack 1.2.5. Consider
using
bundle exec.”

The rails version 3.0.12 requires rack version 1.2.5, but the
passenger is
running with rack version 1.2.1. Can you configure passenger so that it
uses
rack version 1.2.5 ?