Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: PSI database fix: Cygwin ruby.exe is not Rubyforge's ruby.exe

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
ordinant PSI database fix: Cygwin ruby.exe is not Rubyforge's ruby.exe
Member 19th Mar, 2011 03:45
Ranking: 0
Posts: 3
User Since: 19th Mar, 2011
System Score: N/A
Location: US
Last edited on 19th Mar, 2011 18:45

PSI is flagging the ruby.exe provided as part of the Cygwin package as insecure, but then provides a link to download a different Ruby installer from Rubyforge.org.

Please update your database to distinguish between Cygwin's ruby.exe and Rubyforge.org's ruby.exe. Cygwin users can only get updates from Cygwin, and if the Cygwin project does not yet offer a newer Ruby version, we just have to wait.

Actually, the PSI database should check the path of all executables it detects. If the path begins with [driveletter]:\Cygwin\bin, then send the user to http://cygwin.com to obtain updates, despite whatever other update URLs your database might currently think is appropriate.

Anthony Wells RE: PSI database fix: Cygwin ruby.exe is not Rubyforge's ruby.exe
Expert Contributor 20th Mar, 2011 14:00
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 20th Mar, 2011 14:08
Hi ,

Secunia support are quite busy at the moment , but even so do not work weekends on the PSI .

The PSI reports on insecure programmes , apps., etc., and seeks and reports the insecurities :eg: a .dll or an.exe file wherever it can find/see/get it's hands on it ; in this case the ruby.exe file is what it seeks : so whether it is possible to fine tune the detection higher up the detected instance pathway is perhaps not so easy . Embedded "insecure" apps are considered the problem of the covering programme vendor ; rather as you have remarked , but give the known update link to the insecurity not to the vendor .

If a Secunia official does not pick up your thread early next week you may wish to contact them by email at support@secunia.com .

If not having a 100% PSI score is of concern , you can set an ignore rule for the "detected instance" while you wait for Cygwin to rectify the problem . Setting an ignore rule in the PSI version 2.0.x means the programme is neither scanned nor displayed .

Open the/any programme with the [+] to the lhs of the entry and there are two yellow(ish) folder icons to the left of the detected instance(s) , the one with the red blob is used to set the ignore rule (it's in the Toolbox in PSI version1.5.x) .

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability