Upgrade openssl to 1.0.1g? CVE-2014-0160/heartbleed

[kule]

Whilst doing the rounds updating openssl I noticed my rvm ruby is still using 1.0.1f - which according to http://heartbleed.com/ is vulnerable.

Apparently it's not really a client issue however I assume it's worth updating the rvm openssl version?

Is it just a case of updating .rvm/config/db to use:

openssl_version=1.0.1g

?

[mpapis]

the db for start, but also binary rubies for OSX need updating - but this will be done as part of #2753

[kule]

Ok cool, thanks @mpapis. Thought you'd probably have this covered already just thought it best to put it in the list just in case :)

[jonah-williams]

Apparently it's not really a client issue...

As I understand it heartbleed is absolutely a client concern. A vulnerable client can be manipulated to dump memory contents to a malicious server it connects to. That is perhaps slightly harder to exploit but the memory contents of your local machine may still not be something you want to distribute far and wide.

When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
heartbleed.com

Thanks for starting this issue already. Is there a good manual process for forcing an update I can point RVM users at while waiting for those binaries to be updated? (Apologies for not being prepared to offer one myself, it's been a while since I used RVM.)

[mpapis]

rvm reinstall ruby-version --disable-binary

[jonah-williams]

@mpapis thank you!

[reedloden]

Is this going to be tagged and landed on the stable branch soon?

[mpapis]

soon, I need to add extra check to ensure the latest versions are used (during rvm update and on ruby installation)