ruby-on-railsruby-on-rails-2ruby-1.9.3ruby-1.8.7

Using unsupported ruby binary interpreters with Rails LTS


I've done a little bit of reading and I can't seem to find a good answer to this question. I wanted to know if somebody could comment if there are any known dangers to using Rails LTS (https://railslts.com) with an unsupported (i.e. unpatched) Ruby version interpreter (1.8.7 or 1.9.3). I have queried Makandra on this issue, however I wanted to know if anybody in the general Rails community knows of any security risks associated with this type of implementation (Rails 2.3 LTS with Ruby 1.8.7 or 1.9.3). I will report my findings with Makandra on this question if and when they reply.

To note, Makandra's website states "In order to shield our customers from disclosed exploits, we have been maintaining private forks of older Rails versions for quite some time already." In conjunction with the requirements outlined for Rails LTS (i.e. tested only with Ruby 1.8.7), I am operating under the assumption that Rails LTS safely mitigates vulnerabilities inherent to the out-of-date underlying ruby interpreter. This being said, I wanted to question the rails community on this issue to see if there is anything I should be concerned about (from a security standpoint) regarding implementing Rails LTS with Ruby 1.9.3/1.8.7. I already understand that out-of-date and unsupported gems is a potential issue.


Solution

  • I heard back from the Rails LTS team on this issue. Here is the response:

    Since the attack surface for Ruby is much smaller than that for Rails, Ruby vulnerabilities tend to differ in frequency and severity from vulnerabilities for Rails.

    In the one recent case where a Ruby vulnerability affected a typical Rails applications, we have provided inofficial patches for legacy Ruby versions (https://github.com/makandra/ruby). However, our expertise lies in Ruby, not in C. Thus we cannot guarantee future patches for legacy Ruby versions.

    This being said, I subsequently realized there are many Ruby interpreters for 1.9.3 that are continued to be patched and supported, for example JRuby. I installed JRuby and it appears to be working fine.