Serious Security Hole in Ruby on Rails
By Angsuman Chakraborty, Gaea News NetworkThursday, August 10, 2006
A serious security concern in Ruby on Rails has forced the Rails team to come up with release 1.1.5, without waiting for the scheduled release of 1.2.
David from Ruby on Rails team says:
This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn’t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.
So upgrade today, not tomorrow. We’ve made sure that Rails 1.1.5 is fully drop-in compatible with 1.1.4. It only includes a handful of bug fixes and no new features.
For the third time: This is not like “sure, I should be flossing my teeth”. This is “yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hour”. It’s not a suggestion, it’s a prescription. So get to it!
via
What amuses me is that with such serious tone any would-be hackers would be curious enough to diff the two versions as source code is available. So not revealing the vulnerability isn’t doing anyone any good.
This problem does not affect Rails 1.0 or earlier. The only versions affected are 1.1.0, 1.1.1, 1.1.2, and 1.1.4.
