Aaron Patterson
2013-Jan-02 21:28 UTC
[ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!
Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that **all users upgrade immediately**. The security identifier is CVE-2012-5664, and you can read about the issue [here](add link). For other change in each particular release, please see the CHANGELOG corresponding to that version. For all commits in each release, please follow the links below: * [Changes in 3.2.10](https://github.com/rails/rails/compare/v3.2.9...v3.2.10) * [Changes in 3.1.9](https://github.com/rails/rails/compare/v3.1.8...v3.1.9) * [Changes in 3.0.18](https://github.com/rails/rails/compare/v3.0.17...v3.0.18) We''re sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don''t feel we can delay the release. To that end, we''ve minimized the number of changes in each release so that upgrading should be as smooth as possible. Happy Holidays! <3<3<3 -- Aaron Patterson http://tenderlovemaking.com/ -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Aaron Patterson
2013-Jan-02 21:35 UTC
Re: [ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!
On Wed, Jan 02, 2013 at 01:28:36PM -0800, Aaron Patterson wrote:> Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that **all users upgrade immediately**. > > The security identifier is CVE-2012-5664, and you can read about the issue [here](add link).Oops! Forgot the CVE link: https://groups.google.com/group/rubyonrails-security/browse_thread/thread/c2353369fea8c53 Thanks for your patience! -- Aaron Patterson http://tenderlovemaking.com/ -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Ryan Bigg
2013-Jan-03 00:49 UTC
Re: Re: [ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!
Thank you, Aaron, for your work on Rails! <3 <3 <3 On 03/01/2013, at 8:35, Aaron Patterson <tenderlove@ruby-lang.org> wrote:> On Wed, Jan 02, 2013 at 01:28:36PM -0800, Aaron Patterson wrote: >> Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that **all users upgrade immediately**. >> >> The security identifier is CVE-2012-5664, and you can read about the issue [here](add link). > > Oops! Forgot the CVE link: > > https://groups.google.com/group/rubyonrails-security/browse_thread/thread/c2353369fea8c53 > > Thanks for your patience! > > -- > Aaron Patterson > http://tenderlovemaking.com/ > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en. >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Rodrigo Rosenfeld Rosas
2013-Jan-03 11:09 UTC
Re: [ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!
Em 02-01-2013 19:28, Aaron Patterson escreveu:> Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that **all users upgrade immediately**.... unless you''re using Sequel instead of AR like me ;) -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Hongli Lai
2013-Jan-03 13:16 UTC
Re: [ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!
This article explains how the vulnerability works, how it is triggered and what the facts are: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ On Wednesday, January 2, 2013 10:28:36 PM UTC+1, Aaron Patterson wrote:> > Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These > releases contain an important security fix. It is recommended that **all > users upgrade immediately**. > > The security identifier is CVE-2012-5664, and you can read about the issue > [here](add link). > > For other change in each particular release, please see the CHANGELOG > corresponding to that version. For all commits in each release, please > follow the links below: > > * [Changes in 3.2.10]( > https://github.com/rails/rails/compare/v3.2.9...v3.2.10) > * [Changes in 3.1.9]( > https://github.com/rails/rails/compare/v3.1.8...v3.1.9) > * [Changes in 3.0.18]( > https://github.com/rails/rails/compare/v3.0.17...v3.0.18) > > We''re sorry to drop a release like this so close to the holidays but > regrettably the exploit has already been publicly disclosed and we don''t > feel we can delay the release. > > To that end, we''ve minimized the number of changes in each release so that > upgrading should be as smooth as possible. > > Happy Holidays! > > <3<3<3 > > -- > Aaron Patterson > http://tenderlovemaking.com/ >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/y4QH7gOKNnoJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Michael Koziarski
2013-Jan-03 18:21 UTC
Re: Re: [ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!
On Friday, 4 January 2013 at 2:16 AM, Hongli Lai wrote:> This article explains how the vulnerability works, how it is triggered and what the facts are: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ >Please don''t give people misleading advice Hongli, when we told people they should upgrade immediately we meant it. It *is* exploitable under some circumstances, so people should be upgrading immediately to avoid the risk. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
dburry
2013-Jan-04 06:18 UTC
Re: Re: [ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!
There''s a really big difference between these two potential scenarios:
(a) every single rails app I''ve ever written that uses
find_by_*(params[*]) is immediately and completely compromised by anyone in
the world with a simple well crafted url
-and-
(b) every single rails app I''ve ever written might be completely
compromised if I''ve done my code in certain ways that are not common,
like
somehow converting user supplied string keys to symbols (authlogic being
only an example).
In either case, yes, I should "immediately" upgrade my rails to avoid
the
risk, since "complete compromise" is a pretty severe thing to risk (no
matter how remote the chance). Let no man mistake that, or dull that
message.... Let''s upgrade! Don''t put it off.
But the difference between (a) and (b) is in how much ridiculous sums of
money should be spent on how many sleepless man-nights. The difference
also can be in some manager deciding to ban rails from his company (or
not), or some large customer of some rails-centric company deciding to not
hire that company any longer (or keep hiring them).
I can understand pushing for upgrades, reducing liability, being on the
safe side, etc, but please don''t overstate the issue. If it''s
(a), please
don''t be nebulous about it, just plainly state that it''s (a)
and provide
proof if people disagree. But if it''s (b), please don''t imply
that it''s
(a).
Dave
On Thursday, January 3, 2013 10:21:45 AM UTC-8, Michael Koziarski
wrote:>
>
> On Friday, 4 January 2013 at 2:16 AM, Hongli Lai wrote:
>
> This article explains how the vulnerability works, how it is triggered and
> what the facts are:
>
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
>
>
> Please don''t give people misleading advice Hongli, when we told
people
> they should upgrade immediately we meant it. It *is* exploitable under
> some circumstances, so people should be upgrading immediately to avoid the
> risk.
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-core/-/pgDMbsF6j5EJ.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
Hongli Lai
2013-Jan-04 13:39 UTC
Re: Re: [ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!
I will update the article with what you said here. On Thursday, January 3, 2013 7:21:45 PM UTC+1, Michael Koziarski wrote:> > > On Friday, 4 January 2013 at 2:16 AM, Hongli Lai wrote: > > This article explains how the vulnerability works, how it is triggered and > what the facts are: > http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ > > > Please don''t give people misleading advice Hongli, when we told people > they should upgrade immediately we meant it. It *is* exploitable under > some circumstances, so people should be upgrading immediately to avoid the > risk. > > > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/KqATjVQewDQJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Ariel Tal
2013-Feb-24 21:21 UTC
Re: [ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!
It appears that the same fix has been applied to 2.3.15. Is that correct? Thanks On Thursday, January 3, 2013 3:16:39 PM UTC+2, Hongli Lai wrote:> > This article explains how the vulnerability works, how it is triggered and > what the facts are: > http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ > > On Wednesday, January 2, 2013 10:28:36 PM UTC+1, Aaron Patterson wrote: >> >> Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These >> releases contain an important security fix. It is recommended that **all >> users upgrade immediately**. >> >> The security identifier is CVE-2012-5664, and you can read about the >> issue [here](add link). >> >> For other change in each particular release, please see the CHANGELOG >> corresponding to that version. For all commits in each release, please >> follow the links below: >> >> * [Changes in 3.2.10]( >> https://github.com/rails/rails/compare/v3.2.9...v3.2.10) >> * [Changes in 3.1.9]( >> https://github.com/rails/rails/compare/v3.1.8...v3.1.9) >> * [Changes in 3.0.18]( >> https://github.com/rails/rails/compare/v3.0.17...v3.0.18) >> >> We''re sorry to drop a release like this so close to the holidays but >> regrettably the exploit has already been publicly disclosed and we don''t >> feel we can delay the release. >> >> To that end, we''ve minimized the number of changes in each release so >> that upgrading should be as smooth as possible. >> >> Happy Holidays! >> >> <3<3<3 >> >> -- >> Aaron Patterson >> http://tenderlovemaking.com/ >> >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/sY2Wmh89FVcJ. For more options, visit https://groups.google.com/groups/opt_out.