Does Apple maintain the security of the built-in Ruby?

Question

Does Apple maintain the security of the Ruby implementation that comes by default in OS X?

I recently heard about CVE-2013-4073, but when I ran "Software Update..." on my OS X Lion box, it didn't update Ruby. Also, I've never noticed a Software Update that changed the Ruby that OS X supplies.

I checked the version of Ruby, and it was prior to patchlevel 374

ruby 1.8.7 (2012-02-08 patchlevel 358) [universal-darwin11.0]

If Apple doesn't do security updates for the built-in Ruby, does that mean that it's a potential security risk, for example if a careless user decided to use it for programming-related tasks?

This specific issue "only" leads to vulnerabilities in applications that rely on TLS. So if it's only used for other stuff this one won't bite you. — CodesInChaos, Jul 01 '13 at 06:53
Sure,Yah its lead to serious security risk .Recently i checked the internet and found that there are some exploits for Ruby 1.8.7 .. See [This link](http://www.cvedetails.com/vulnerability-list/vendor_id-7252/product_id-12215/version_id-60323/Ruby-lang-Ruby-1.8.7.html) — Jijo John, Jul 01 '13 at 17:14

score 1 · Accepted Answer · answered Jul 08 '13 at 17:30

They do provide security fixes relating to Ruby - for example the fairly recent Security Update 2013-002 includes some Ruby stuff, as did 2013-001. They don't seem to have patched CVE-2013-4073 yet, but to be fair that vulnerability is only a couple of weeks old.

As you imply in your question, the non-careless developer will never try and run a production web app with built-in stack components, but will download and install a separate copy somewhere else and keep that patched and updated appropriately. For one thing, they're very likely to want something more modern than 1.8.7!

Does Apple maintain the security of the built-in Ruby?

1 Answers1