New Ruby on Rails Security Problem
Submitted by jabba on August 10, 2006 - 5:06am.
If you're using Tracks or any other Ruby on Rails app, there's a new critical vulnerability. The upgrade is mandatory and should be applied IMMEDIATELY.
From SANS:
Quote:
A new version of Ruby on Rails (a very popular framework for developing database-backed web applications) has been released which patches a critical security vulnerability.The details about the vulnerability have not been disclosed yet, but the authors urge everyone to patch as soon as possible: "This is a MANDATORY upgrade for anyone not running on a very recent edge".
Unfortunately, they didn't specify what this "very recent edge" exactly is, so you can't say if you are vulnerable or not. We can confirm, though, that all older versions (0.13, 0.14, 1.0 and 1.1.x) are vulnerable.
The new version (1.1.5) is supposed to be completely compatible with 1.1.4, however we would recommend that you check the original post about this available at http://weblog.rubyonrails.com/.
The new version can be downloaded from http://rubyforge.org/frs/?group_id=307.
Justin (Security Wonk and lapsed but trying GTD'r)
- 905 reads
and again:
http://weblog.rubyonrails.com/2006/8/10/rails-1-1- by emory