Last active
December 29, 2015 04:09
-
-
Save ssaunier/7612827 to your computer and use it in GitHub Desktop.
On Saturday November 23rd, 2013, Heroku sent an email about CVE-2013-4164 to tell us to upgrade. Here is a script listing vulnerable apps.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env ruby | |
# | |
# To simply run this script from your terminal: | |
# $ ruby -e "$(curl -fsSL https://gist.github.com/ssaunier/7612827/raw/heroku-CVE-2013-4164.rb)" | |
# | |
# From Heroku email, you must upgrade your ruby version to: | |
# | |
# New: ruby 1.8.7p375 (2013-11-22 revision 375) [x86_64-linux] | |
# New: ruby 1.9.2p321 (2013-11-22 revision 321) [x86_64-linux] | |
# New: ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux] | |
# New: ruby 2.0.0p353 (2013-11-22 revision 43784) [x86_64-linux] | |
def upgrade(app, ruby) | |
puts "\e[31m#{app}\e[0m (#{ruby}) => UPGRADE!" | |
end | |
def ok(app, ruby) | |
puts "\e[32m#{app}\e[0m (#{ruby}) => OK" | |
end | |
`heroku list`.split("\n").each do |app| | |
app = app.strip | |
next if app[0..2] == "===" || app == "" # Blank lines and === separator | |
app = app.split(" ")[0].to_s.strip # Some apps appended by owner emails | |
ruby_version = `heroku run ruby -v --app #{app}`.split("\n")[-1] | |
if ruby_version =~ /ruby (([0-9\.]*)p([0-9]*))/ | |
patch = $3.to_i | |
case $2 | |
when "1.8.7" then patch < 375 ? upgrade(app, $1) : ok(app, ruby) | |
when "1.9.2" then patch < 421 ? upgrade(app, $1) : ok(app, $1) | |
when "1.9.3" then patch < 484 ? upgrade(app, $1) : ok(app, $1) | |
when "2.0.0" then patch < 353 ? upgrade(app, $1) : ok(app, $1) | |
else puts "\e[31m#{app}\e[0m (#{1}) => UNSUPPORTED VERSION!" | |
end | |
end | |
end | |
puts "---------------------------------------" | |
puts "For each app you need to upgrade, run:" | |
puts "$ cd /path/to/your/app" | |
puts "$ git commit --allow-empty -m \"upgrade ruby version\"" | |
puts "$ git push heroku master" | |
puts " " | |
puts "Please note that this script doesn't know which app are actually Ruby apps" | |
puts "If you try to upgrade the ruby version for a Node.js app, it won't work," | |
puts "as Heroku does not seem to pick up the new ruby version in that case." |
Oh that's super nice, thanks! So Heroku doesn't just roll through and automatically upgrade -- but even so, it seems impossible to select a vulnerable version of Ruby (tried last night for an hour or two).
So, for new apps, you're patched (without a user choice), but for existing apps, you need to act in order to patch.
Exactly, at the next push of a new commit, if the buildpack detects a Ruby app, it will perform the ruby version migration and use the latest.
Super pratique, merci!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In your terminal, run: