Hi, http://dev.rubyonrails.org/ticket/8453 http://dev.rubyonrails.org/ticket/8371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227 I came across the above by accident. While I am subscribed to the so called rails security list where supposed announcement of security issues were to be posted, neither of the above problem made the list. While I use rails a lot and like it, the above mentality of deeming something insignificant is troubling. A bug is either a security issue or it is not. It should be left up to the end-user whether they deem it important to them and not rails upstream. So I guess the question remains. Do rails developers deem security as something secondary and not worth even making a simple post (or just a link) at the currently empty security list[1] ? Is security+rails a joke? - Adam [1] - http://groups.google.com/group/rubyonrails-security/topics --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
On 9/27/07, gnuman <gnuman1@gmail.com> wrote:> > http://dev.rubyonrails.org/ticket/8453 > > http://dev.rubyonrails.org/ticket/8371 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227All I see is a bunch of fixed issues. So you are complaining not about low security of the framework, but about how community handles it and lack of communication between individuals? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
I would agree that the Security mailing list should be utilized a little more than it is now (it''s not) when a potential issue rises. When the "XML Parsing (included malformed DTD), 99% CPU DoS Attack" thread (http://groups.google.com/group/rubyonrails-core/browse_thread/ thread/9e62a02529ce97f1) was started back in August, I kind of expected that to be posted to the Security group although it never was. On Sep 27, 3:54 pm, "Mislav Marohnić" <mislav.maroh...@gmail.com> wrote:> On 9/27/07, gnuman <gnum...@gmail.com> wrote: > > > > >http://dev.rubyonrails.org/ticket/8453 > > >http://dev.rubyonrails.org/ticket/8371 > >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227 > > All I see is a bunch of fixed issues. So you are complaining not about low > security of the framework, but about how community handles it and lack of > communication between individuals?--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
> I would agree that the Security mailing list should be utilized a > little more than it is now (it''s not) when a potential issue rises. > When the "XML Parsing (included malformed DTD), 99% CPU DoS Attack" > thread (http://groups.google.com/group/rubyonrails-core/browse_thread/ > thread/9e62a02529ce97f1) was started back in August, I kind of > expected that to be posted to the Security group although it never > was.Sorry, That should definitely have been posted to the security list, the post rights are restricted and david was away on holiday when that bug was found. This has been sorted out now. -- Cheers Koz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
On Sep 27, 2:54 pm, "Mislav Marohnić" <mislav.maroh...@gmail.com> wrote:> On 9/27/07, gnuman <gnum...@gmail.com> wrote: > > > > >http://dev.rubyonrails.org/ticket/8453 > > >http://dev.rubyonrails.org/ticket/8371 > >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227 > > All I see is a bunch of fixed issues. So you are complaining not about low > security of the framework, but about how community handles it and lack of > communication between individuals?*Exactly*. That is what I feel security list is for - communication. Someone is using version 1.1.6 in the application and doesn''t care about the framework fixes (+new bugs) because it just works. But they should be aware if any issues come up that can potentially affect the security of their application. One should be able to go to the security list and see threads like, [1.1.6 - 1.2.3] - XSS in to_json. to_json doesn''t escape stuff. [link to ticket] preferably, there there should be a followup for what version the problem was fixed and the changesets that fix it. This is not only something for individuals but for people using rails that is part of distributions like Debian. Debian and other distro maintainers need to be aware of problems so these can be backported (or checked if old release is affected). I became aware of one of the bugs after receiving a secunia advisory http://secunia.com/advisories/25699/ One should be able to receive such information prior from the Rails security list. - Adam --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
On Sep 27, 7:44 pm, "Michael Koziarski" <mich...@koziarski.com> wrote:> > I would agree that the Security mailing list should be utilized a > > little more than it is now (it''s not) when a potential issue rises. > > When the "XML Parsing (included malformed DTD), 99% CPU DoS Attack" > > thread (http://groups.google.com/group/rubyonrails-core/browse_thread/ > > thread/9e62a02529ce97f1) was started back in August, I kind of > > expected that to be posted to the Security group although it never > > was. > > Sorry, > > That should definitely have been posted to the security list, the post > rights are restricted and david was away on holiday when that bug was > found. This has been sorted out now.Ah! I find out another potential problem.. It is possible that all these past, as well as any current, issues be posted to the security list now? Even a simple three liners would be nice. Something like, ------------------------ Security issue in version: x.y.z currently fixed in (SVN/version a.b.c). Issue link: [link to trac] Changeset link(s): [links to changesets that fix the issue] ------------------------ That would be very helpful. Especially for people trying to keep older, or current, versions of rails secure. - Adam --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
On 9/28/07, gnuman <gnuman1@gmail.com> wrote:> > > It is possible that all these past, as well as any current, issues be > posted to the security list now? Even a simple three liners would be > nice. Something likeI don''t remember stuff from before v1.2.3 well, but the only security features/fixes from that version to present that I can find are Request Forgery Protection (csrf killer) and these: #8371: to_json XSS issue (mentioned in this thread) [7589]: Secure #sanitize, #strip_tags, and #strip_links helpers against xss attacks (http://dev.rubyonrails.org/changeset/7589) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---