Skip to content

Instantly share code, notes, and snippets.

@ssaunier

ssaunier/heroku-CVE-2013-4164.rb

Last active December 29, 2015 04:09
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ssaunier/7612827 to your computer and use it in GitHub Desktop.
Save ssaunier/7612827 to your computer and use it in GitHub Desktop.
Download ZIP
On Saturday November 23rd, 2013, Heroku sent an email about CVE-2013-4164 to tell us to upgrade. Here is a script listing vulnerable apps.
Raw
heroku-CVE-2013-4164.rb
#!/usr/bin/env ruby
#
# To simply run this script from your terminal:
# $ ruby -e "$(curl -fsSL https://gist.github.com/ssaunier/7612827/raw/heroku-CVE-2013-4164.rb)"
#
# From Heroku email, you must upgrade your ruby version to:
#
# New: ruby 1.8.7p375 (2013-11-22 revision 375) [x86_64-linux]
# New: ruby 1.9.2p321 (2013-11-22 revision 321) [x86_64-linux]
# New: ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
# New: ruby 2.0.0p353 (2013-11-22 revision 43784) [x86_64-linux]
def upgrade(app, ruby)
puts "\e[31m#{app}\e[0m (#{ruby}) => UPGRADE!"
end
def ok(app, ruby)
puts "\e[32m#{app}\e[0m (#{ruby}) => OK"
end
`heroku list`.split("\n").each do |app|
app = app.strip
next if app[0..2] == "===" || app == "" # Blank lines and === separator
app = app.split(" ")[0].to_s.strip # Some apps appended by owner emails
ruby_version = `heroku run ruby -v --app #{app}`.split("\n")[-1]
if ruby_version =~ /ruby (([0-9\.]*)p([0-9]*))/
patch = $3.to_i
case $2
when "1.8.7" then patch < 375 ? upgrade(app, $1) : ok(app, ruby)
when "1.9.2" then patch < 421 ? upgrade(app, $1) : ok(app, $1)
when "1.9.3" then patch < 484 ? upgrade(app, $1) : ok(app, $1)
when "2.0.0" then patch < 353 ? upgrade(app, $1) : ok(app, $1)
else puts "\e[31m#{app}\e[0m (#{1}) => UNSUPPORTED VERSION!"
end
end
end
puts "---------------------------------------"
puts "For each app you need to upgrade, run:"
puts "$ cd /path/to/your/app"
puts "$ git commit --allow-empty -m \"upgrade ruby version\""
puts "$ git push heroku master"
puts " "
puts "Please note that this script doesn't know which app are actually Ruby apps"
puts "If you try to upgrade the ruby version for a Node.js app, it won't work,"
puts "as Heroku does not seem to pick up the new ruby version in that case."
@ssaunier
Copy link
Author

In your terminal, run:

ruby -e "$(curl -fsSL https://gist.github.com/ssaunier/7612827/raw/heroku-CVE-2013-4164.rb)"

@todb-r7
Copy link

todb-r7 commented Nov 23, 2013

Oh that's super nice, thanks! So Heroku doesn't just roll through and automatically upgrade -- but even so, it seems impossible to select a vulnerable version of Ruby (tried last night for an hour or two).

So, for new apps, you're patched (without a user choice), but for existing apps, you need to act in order to patch.

@ssaunier
Copy link
Author

Exactly, at the next push of a new commit, if the buildpack detects a Ruby app, it will perform the ruby version migration and use the latest.

@BCoulange
Copy link

Super pratique, merci!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment