Topic: Rails 1.1.5: Mandatory security patch

From Riding Rails

DHH wrote:


Last edited by thabenksta (2006-08-09 15:04:13)

Re: Rails 1.1.5: Mandatory security patch

Whoah, thanks for the heads up Ben.  The announcement says that every single Rails release (0.6 and up) is affected by this bug.  Looks like there's a lot of updating to do.

Re: Rails 1.1.5: Mandatory security patch

I hope people warn their hosts about this one. smile I imagine the larger hosts (Site5, DH, Argon, etc.) will be right on top of it, but some hosts shy away from upgrades/patching--even critical ones.

Josh Catone helps run this place
Rails Forum - Rails Jobs

Re: Rails 1.1.5: Mandatory security patch

Updated, thanks for letting us know smile

vinnie - rails forum admin

Re: Rails 1.1.5: Mandatory security patch

It seems that quite a few people have already figured out what the problem is.  It's a pretty big hole.

There seems to be a lot of outsiders saying "I guess its not perfect after all".  I for one am glad that it happened now.  It takes a big scare like this for people to start really scrutinizing Rails' security, which is good.  And it's better that it happens now than in a year when Rails has assimilated all Java and PHP programmers (Yes I can say that in the safety of this forum!).

There are also a lot of people saying that they should fully disclose the problem, because anyone can diff the patches and find the exploit.  To me there's a big difference between announcing the exploit to the world, and a few stupid crackers with nothing better to do than diff svn patches.

This is what we get for being early-adopters, but it's not that bad.  At least we didn't find out about it AFTER all our servers had been comprimised by some suburban teenager.

Re: Rails 1.1.5: Mandatory security patch

We're going to have security problems no matter what framework we use, the important thing is that they are fixed immediately. I'm happy the Rails development team has done that and is taking the security issue seriously.

Railscasts - Free Ruby on Rails Screencasts

Re: Rails 1.1.5: Mandatory security patch

At least it got Rails on Slashdot again wink

Posts [ 7 ]

Pages 1