David Heinemeier Hansson
2006-Aug-09 17:46 UTC
Rails 1.1.5: Mandatory security patch (and other tidbits)
We''re still hard at work on Rails 1.2, which features all the new dandy REST stuff and more, but a serious security concern has come to our attention that needed to be addressed sooner than the release of 1.2 would allow. So here''s Rails 1.1.5! This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn''t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched. The issue is in fact of such a criticality that we''re not going to dig into the specifics. No need to arm would-be assailants. So upgrade today, not tomorrow. We''ve made sure that Rails 1.1.5 is fully drop-in compatible with 1.1.4. It only includes a handful of bug fixes and no new features. For the third time: This is not like "sure, I should be flossing my teeth". This is "yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hour". It''s not a suggestion, it''s a prescription. So get to it! As always, the trick is to do "gem install rails" and then either changing config/environment.rb, if you''re bound to gems, or do "rake rails:freeze:gems" if you''re freezing gems in vendor. P.S.: If you run a major Rails site and for some reason are completely unable to upgrade to 1.1.5, get in touch with the core team and we''ll try to work with you on a solution. -- David Heinemeier Hansson http://www.loudthinking.com -- Broadcasting Brain http://www.basecamphq.com -- Online project management http://www.backpackit.com -- Personal information manager http://www.rubyonrails.com -- Web-application framework
Abdur-Rahman Advany
2006-Aug-12 20:59 UTC
[Rails] Rails 1.1.5: Mandatory security patch (and other tidbits)
Just got this email, a big delay or the wrong message? David Heinemeier Hansson wrote:> We''re still hard at work on Rails 1.2, which features all the new > dandy REST stuff and more, but a serious security concern has come to > our attention that needed to be addressed sooner than the release of > 1.2 would allow. So here''s Rails 1.1.5! > > This is a MANDATORY upgrade for anyone not running on a very recent > edge (which isn''t affected by this). If you have a public Rails site, > you MUST upgrade to Rails 1.1.5. The security issue is severe and you > do not want to be caught unpatched. > > The issue is in fact of such a criticality that we''re not going to dig > into the specifics. No need to arm would-be assailants. > > So upgrade today, not tomorrow. We''ve made sure that Rails 1.1.5 is > fully drop-in compatible with 1.1.4. It only includes a handful of bug > fixes and no new features. > > For the third time: This is not like "sure, I should be flossing my > teeth". This is "yes, I will wear my helmet as I try to go 100mph on a > motorcycle through downtown in rush hour". It''s not a suggestion, it''s > a prescription. So get to it! > > As always, the trick is to do "gem install rails" and then either > changing config/environment.rb, if you''re bound to gems, or do "rake > rails:freeze:gems" if you''re freezing gems in vendor. > > P.S.: If you run a major Rails site and for some reason are completely > unable to upgrade to 1.1.5, get in touch with the core team and we''ll > try to work with you on a solution.
Faisal N Jawdat
2006-Aug-13 01:12 UTC
[Rails] Rails 1.1.5: Mandatory security patch (and other tidbits)
On Aug 12, 2006, at 4:48 PM, Abdur-Rahman Advany wrote:> Just got this email, a big delay or the wrong message?It looks like some mail server somewhere is a bit overloaded, and some messages are being held for days for some users. Mail I sent the list took 3 days to show up in my inbox. Which was approximately 2 days and 23 hours after I got mail directly replying to that message. -faisal
Justin Forder
2006-Aug-14 07:15 UTC
Re: Rails 1.1.5: Mandatory security patch (and other tidbits)
David Heinemeier Hansson wrote:> We''re still hard at work on Rails 1.2, which features all the new > dandy REST stuff and more, but a serious security concern has come to > our attention that needed to be addressed sooner than the release of > 1.2 would allow. So here''s Rails 1.1.5! > > This is a MANDATORY upgrade for anyone not running on a very recent > edge (which isn''t affected by this). If you have a public Rails site, > you MUST upgrade to Rails 1.1.5. The security issue is severe and you > do not want to be caught unpatched. > > The issue is in fact of such a criticality that we''re not going to dig > into the specifics. No need to arm would-be assailants. > > So upgrade today, not tomorrow. We''ve made sure that Rails 1.1.5 is > fully drop-in compatible with 1.1.4. It only includes a handful of bug > fixes and no new features.The above message was sent on Wednesday 9th August at 17:46 GMT. It reached my ISP on Monday 14th August at 02:30 GMT. Not the best way to get people to "upgrade today" :-) Relevant headers: Received: from lists.rubyonrails.org ([70.84.143.100] helo=wrath.rubyonrails.com) by A.hopeless.aaisp.net.uk ([81.187.81.11]) with AAISP icebox mailer (build Apr 26 2006 09:48:24) for justin-zSfPWr5aQuznITO/+xaoB7VCufUGDwFn@public.gmane.org; Mon, 14 Aug 2006 03:30:53 +0100 Received: from 6d.8f.5446.static.theplanet.com (localhost.rubyonrails.org [127.0.0.1]) by wrath.rubyonrails.com (Postfix) with ESMTP id DC1593A8FB; Wed, 9 Aug 2006 17:58:13 +0000 (GMT) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by wrath.rubyonrails.com (Postfix) with ESMTP id F279F3BA9F for <rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org>; Wed, 9 Aug 2006 17:46:02 +0000 (GMT) regards Justin
Apparently Analagous Threads
- DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory security patch (and other tidbits)
- Dovecot and MySQL auth - initial setup issues
- Gosubs broken since r160626 (1.6.0 SVN) ?
- a couple more tidbits on the conversion process
- equalize / ecmp not working as expected in 2.6 vs 2.4