Dale Martenson
2006-Aug-09 19:33 UTC
[Rails] [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory security patch (and other tidbits)
We''re still hard at work on Rails 1.2, which features all the new dandy REST stuff and more, but a serious security concern has come to our attention that needed to be addressed sooner than the release of 1.2 would allow. So here''s Rails 1.1.5! This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn''t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched. The issue is in fact of such a criticality that we''re not going to dig into the specifics. No need to arm would-be assailants. So upgrade today, not tomorrow. We''ve made sure that Rails 1.1.5 is fully drop-in compatible with 1.1.4. It only includes a handful of bug fixes and no new features. For the third time: This is not like "sure, I should be flooshing my teeth". This is "yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hour". It''s not a suggestion, it''s a prescription. So get to it! As always, the trick is to do "gem install rails" and then either changing config/environment.rb, if you''re bound to gems, or do "rake rails:freeze:gems" if you''re freezing gems in vendor. P.S.: If you run a major Rails site and for some reason are completely unable to upgrade to 1.1.5, get in touch with the core team and we''ll try to work with you on a solution. -- David Heinemeier Hansson http://www.loudthinking.com -- Broadcasting Brain http://www.basecamphq.com -- Online project management http://www.backpackit.com -- Personal information manager http://www.rubyonrails.com -- Web-application framework -- Posted with http://DevLists.com. Sign up and save your mailbox.
Michael Modica
2006-Aug-10 02:40 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
Dale Martenson wrote:> We''re still hard at work on Rails 1.2, which features all the new > dandy REST stuff and more, but a serious security concern has come to > our attention that needed to be addressed sooner than the release of > 1.2 would allow. So here''s Rails 1.1.5! > > This is a MANDATORY upgrade for anyone not running on a very recent > edge (which isn''t affected by this). If you have a public Rails site, > you MUST upgrade to Rails 1.1.5. The security issue is severe and you > do not want to be caught unpatched. > > The issue is in fact of such a criticality that we''re not going to dig > into the specifics. No need to arm would-be assailants. > > So upgrade today, not tomorrow. We''ve made sure that Rails 1.1.5 is > fully drop-in compatible with 1.1.4. It only includes a handful of bug > fixes and no new features. > > For the third time: This is not like "sure, I should be flooshing my > teeth". This is "yes, I will wear my helmet as I try to go 100mph on a > motorcycle through downtown in rush hour". It''s not a suggestion, it''s > a prescription. So get to it! > > As always, the trick is to do "gem install rails" and then either > changing config/environment.rb, if you''re bound to gems, or do "rake > rails:freeze:gems" if you''re freezing gems in vendor. > > P.S.: If you run a major Rails site and for some reason are completely > unable to upgrade to 1.1.5, get in touch with the core team and we''ll > try to work with you on a solution. > -- > David Heinemeier Hansson > http://www.loudthinking.com -- Broadcasting Brain > http://www.basecamphq.com -- Online project management > http://www.backpackit.com -- Personal information manager > http://www.rubyonrails.com -- Web-application frameworkI suppose this is like shooting the messenger but isn''t this like telling a kid not to touch a hot stove? Serioulsy! "The issue is in fact of such a criticality that we''re not going to dig into the specifics. No need to arm would-be assailants." This WARRANTS full explanation! If there is need enough to alarm the people that use the product then there is certainly a need to provide disclosure of some sort of what the problem is. This "attitude" to some degree diminishes the value of Rails. It suddenly took a very cool framework and set it back because of the unprofessional way in which a problem was handled. I firmly believe that you can judge a company (or person or product) not by the way they handle things when things are going well, but by the way they handle things when things go wrong. In business, and life, things go wrong. Handle it properly. This is not the proper way to handle an issue as serious as it sounds. Provide the details. COMMUNICATE to people so they know WHAT the problem is and what their exposure is. NEVER put out a generic statement like this - it is almost as bad as hiding the problem entirely. If I were hosting a site somewhere or had a true "web app" I would be scared as hell right now. DHH, Rails contributors and others should be providing much more information than this. Right now, people have a "need to know" as well as a "right to know" without having to sift through diffs to determine what happened. I suspect much bad publicity is going to come from this. Tackle the bull head-on - you can''t hide what people will figure out anyway. Michael -- Posted via http://www.ruby-forum.com/.
Kevin Olbrich
2006-Aug-10 03:18 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
On Thursday, August 10, 2006, at 4:29 AM, Michael Modica wrote:>Dale Martenson wrote: >> We''re still hard at work on Rails 1.2, which features all the new >> dandy REST stuff and more, but a serious security concern has come to >> our attention that needed to be addressed sooner than the release of >> 1.2 would allow. So here''s Rails 1.1.5! >> >> This is a MANDATORY upgrade for anyone not running on a very recent >> edge (which isn''t affected by this). If you have a public Rails site, >> you MUST upgrade to Rails 1.1.5. The security issue is severe and you >> do not want to be caught unpatched. >> >> The issue is in fact of such a criticality that we''re not going to dig >> into the specifics. No need to arm would-be assailants. >> >> So upgrade today, not tomorrow. We''ve made sure that Rails 1.1.5 is >> fully drop-in compatible with 1.1.4. It only includes a handful of bug >> fixes and no new features. >> >> For the third time: This is not like "sure, I should be flooshing my >> teeth". This is "yes, I will wear my helmet as I try to go 100mph on a >> motorcycle through downtown in rush hour". It''s not a suggestion, it''s >> a prescription. So get to it! >> >> As always, the trick is to do "gem install rails" and then either >> changing config/environment.rb, if you''re bound to gems, or do "rake >> rails:freeze:gems" if you''re freezing gems in vendor. >> >> P.S.: If you run a major Rails site and for some reason are completely >> unable to upgrade to 1.1.5, get in touch with the core team and we''ll >> try to work with you on a solution. >> -- >> David Heinemeier Hansson >> http://www.loudthinking.com -- Broadcasting Brain >> http://www.basecamphq.com -- Online project management >> http://www.backpackit.com -- Personal information manager >> http://www.rubyonrails.com -- Web-application framework > >I suppose this is like shooting the messenger but isn''t this like >telling a kid not to touch a hot stove? Serioulsy! > >"The issue is in fact of such a criticality that we''re not going to dig >into the specifics. No need to arm would-be assailants." > >This WARRANTS full explanation! If there is need enough to alarm the >people that use the product then there is certainly a need to provide >disclosure of some sort of what the problem is. > >This "attitude" to some degree diminishes the value of Rails. It >suddenly took a very cool framework and set it back because of the >unprofessional way in which a problem was handled. I firmly believe >that you can judge a company (or person or product) not by the way they >handle things when things are going well, but by the way they handle >things when things go wrong. In business, and life, things go wrong. >Handle it properly. This is not the proper way to handle an issue as >serious as it sounds. > >Provide the details. COMMUNICATE to people so they know WHAT the >problem is and what their exposure is. NEVER put out a generic >statement like this - it is almost as bad as hiding the problem >entirely. > >If I were hosting a site somewhere or had a true "web app" I would be >scared as hell right now. DHH, Rails contributors and others should be >providing much more information than this. Right now, people have a >"need to know" as well as a "right to know" without having to sift >through diffs to determine what happened. > >I suspect much bad publicity is going to come from this. Tackle the >bull head-on - you can''t hide what people will figure out anyway. > >Michael > >-- >Posted via http://www.ruby-forum.com/. >_______________________________________________ >Rails mailing list >Rails@lists.rubyonrails.org >http://lists.rubyonrails.org/mailman/listinfo/railsA similar discussion cropped up on the Ruby list where this was first announced. It seems that the consensus on this was to: "update first, ask questions later". There is a need to allow people time to roll out the security fixes before discussing the details of what they are. It is my understanding that an explanation will be forthcoming, but now is not the time for it. So... don''t panic. Just upgrade to 1.1.5 ASAP if you have a rails app out there. _Kevin www.sciwerks.com -- Posted with http://DevLists.com. Sign up and save your mailbox.
Carl Fyffe
2006-Aug-10 03:39 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
Michael, This post does not help in any way. I expect within the next week a full explanation of what was wrong, why it was wrong and how it was fixed will be published. This is pretty close to the way it SHOULD work. Give as little amo as possible to the script kiddies out there while the professionals upgrade their systems. After the professionals have had sufficient time to upgrade, then tell the world what the problem was. The code is open, so if you want to explore what was changed between versions feel free. Again, they are trying to make it a little more difficult for those who seek to do harm. So, hop in the car, drive to Starbucks, indulge in some overpriced coffee and chill out. At least a fix was published immediately and we didn''t have to wait til the first Tuesday of next month for it to be released. Carl On 8/9/06, Michael Modica <codeslush@yahoo.com> wrote:> Dale Martenson wrote: > > We''re still hard at work on Rails 1.2, which features all the new > > dandy REST stuff and more, but a serious security concern has come to > > our attention that needed to be addressed sooner than the release of > > 1.2 would allow. So here''s Rails 1.1.5! > > > > This is a MANDATORY upgrade for anyone not running on a very recent > > edge (which isn''t affected by this). If you have a public Rails site, > > you MUST upgrade to Rails 1.1.5. The security issue is severe and you > > do not want to be caught unpatched. > > > > The issue is in fact of such a criticality that we''re not going to dig > > into the specifics. No need to arm would-be assailants. > > > > So upgrade today, not tomorrow. We''ve made sure that Rails 1.1.5 is > > fully drop-in compatible with 1.1.4. It only includes a handful of bug > > fixes and no new features. > > > > For the third time: This is not like "sure, I should be flooshing my > > teeth". This is "yes, I will wear my helmet as I try to go 100mph on a > > motorcycle through downtown in rush hour". It''s not a suggestion, it''s > > a prescription. So get to it! > > > > As always, the trick is to do "gem install rails" and then either > > changing config/environment.rb, if you''re bound to gems, or do "rake > > rails:freeze:gems" if you''re freezing gems in vendor. > > > > P.S.: If you run a major Rails site and for some reason are completely > > unable to upgrade to 1.1.5, get in touch with the core team and we''ll > > try to work with you on a solution. > > -- > > David Heinemeier Hansson > > http://www.loudthinking.com -- Broadcasting Brain > > http://www.basecamphq.com -- Online project management > > http://www.backpackit.com -- Personal information manager > > http://www.rubyonrails.com -- Web-application framework > > I suppose this is like shooting the messenger but isn''t this like > telling a kid not to touch a hot stove? Serioulsy! > > "The issue is in fact of such a criticality that we''re not going to dig > into the specifics. No need to arm would-be assailants." > > This WARRANTS full explanation! If there is need enough to alarm the > people that use the product then there is certainly a need to provide > disclosure of some sort of what the problem is. > > This "attitude" to some degree diminishes the value of Rails. It > suddenly took a very cool framework and set it back because of the > unprofessional way in which a problem was handled. I firmly believe > that you can judge a company (or person or product) not by the way they > handle things when things are going well, but by the way they handle > things when things go wrong. In business, and life, things go wrong. > Handle it properly. This is not the proper way to handle an issue as > serious as it sounds. > > Provide the details. COMMUNICATE to people so they know WHAT the > problem is and what their exposure is. NEVER put out a generic > statement like this - it is almost as bad as hiding the problem > entirely. > > If I were hosting a site somewhere or had a true "web app" I would be > scared as hell right now. DHH, Rails contributors and others should be > providing much more information than this. Right now, people have a > "need to know" as well as a "right to know" without having to sift > through diffs to determine what happened. > > I suspect much bad publicity is going to come from this. Tackle the > bull head-on - you can''t hide what people will figure out anyway. > > Michael > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
Jim Cheetham
2006-Aug-10 03:40 UTC
[Rails] [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory security patch (and other tidbits)
On Wed, Aug 09, 2006 at 07:24:26PM -0000, Dale Martenson wrote:> This is a MANDATORY upgrade for anyone not running on a very recent > edge (which isn''t affected by this). If you have a public Rails site, > you MUST upgrade to Rails 1.1.5. The security issue is severe and you > do not want to be caught unpatched.Newbie question; how do I tell what version of Rails I''m running on? If Rails has been frozen into a tree, how do I tell what version that tree is using?> The issue is in fact of such a criticality that we''re not going to dig > into the specifics. No need to arm would-be assailants.Full disclosure? Seriously; it''s not much work for someone to diff 1.1.4 with 1.1.5 and work out what the fix was (well, someone who knows Ruby, that is). How can I determine wether my exposed web services are vulnerable or not? -jim
Gabe da Silveira
2006-Aug-10 04:21 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
This is totally correct. The only issue is whether a patch for the 1.0 branch gets released soon. On Aug 9, 2006, at 9:27 PM, Carl Fyffe wrote:> This post does not help in any way. I expect within the next week a > full explanation of what was wrong, why it was wrong and how it was > fixed will be published. This is pretty close to the way it SHOULD > work. Give as little amo as possible to the script kiddies out there > while the professionals upgrade their systems. After the professionals > have had sufficient time to upgrade, then tell the world what the > problem was. The code is open, so if you want to explore what was > changed between versions feel free. Again, they are trying to make it > a little more difficult for those who seek to do harm. > > So, hop in the car, drive to Starbucks, indulge in some overpriced > coffee and chill out. At least a fix was published immediately and we > didn''t have to wait til the first Tuesday of next month for it to be > released.-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/907adc92/attachment.html
Aaron Kulbe
2006-Aug-10 04:54 UTC
[Rails] [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory security patch (and other tidbits)
rails -v to display the version. On 8/9/06, Jim Cheetham <jim@gonzul.net> wrote:> > On Wed, Aug 09, 2006 at 07:24:26PM -0000, Dale Martenson wrote: > > This is a MANDATORY upgrade for anyone not running on a very recent > > edge (which isn''t affected by this). If you have a public Rails site, > > you MUST upgrade to Rails 1.1.5. The security issue is severe and you > > do not want to be caught unpatched. > > Newbie question; how do I tell what version of Rails I''m running on? > If Rails has been frozen into a tree, how do I tell what version that > tree is using? > > > The issue is in fact of such a criticality that we''re not going to dig > > into the specifics. No need to arm would-be assailants. > > Full disclosure? Seriously; it''s not much work for someone to diff 1.1.4 > with 1.1.5 and work out what the fix was (well, someone who knows Ruby, > that is). > > How can I determine wether my exposed web services are vulnerable or > not? > > -jim > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/8824a13a/attachment.html
Ben Reubenstein
2006-Aug-10 05:17 UTC
[Rails] [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory security patch (and other tidbits)
> how do I tell what version of Rails I''m running on?prompt > rails -v Also you can boot your app and check out the default rails page from the localhost. It will give you the gem version that the current app is running. On 8/9/06, Jim Cheetham <jim@gonzul.net> wrote:> > On Wed, Aug 09, 2006 at 07:24:26PM -0000, Dale Martenson wrote: > > This is a MANDATORY upgrade for anyone not running on a very recent > > edge (which isn''t affected by this). If you have a public Rails site, > > you MUST upgrade to Rails 1.1.5. The security issue is severe and you > > do not want to be caught unpatched. > > Newbie question; how do I tell what version of Rails I''m running on? > If Rails has been frozen into a tree, how do I tell what version that > tree is using? > > > The issue is in fact of such a criticality that we''re not going to dig > > into the specifics. No need to arm would-be assailants. > > Full disclosure? Seriously; it''s not much work for someone to diff 1.1.4 > with 1.1.5 and work out what the fix was (well, someone who knows Ruby, > that is). > > How can I determine wether my exposed web services are vulnerable or > not? > > -jim > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Ben Reubenstein 303-947-0446 http://www.benr75.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/03e34526/attachment.html
Daniel Burkes
2006-Aug-10 06:13 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
> Provide the details. COMMUNICATE to people so they know WHAT the > problem is and what their exposure is. NEVER put out a generic > statement like this - it is almost as bad as hiding the problem > entirely. >While I agree with your sentiment almost entirely, keep in mind that Rails is open source. The subversion repository is publicly available, so, finding the diffs between two releases should be trivial. This has the consequence of making what you say seem a bit alarmist, and making what DHH said seem a bit ridiculous. "No need to arm would be assailants"? Man, that train has already left the station... Now, about the fact that dev.rubyonrails.org is down right now...curiouser and curiouser :-) Regards, Danny Burkes -- Posted via http://www.ruby-forum.com/.
Kirk R
2006-Aug-10 07:09 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
Rather well said Daniel On 8/10/06, Daniel Burkes <dburkes@netable.com> wrote:> > Provide the details. COMMUNICATE to people so they know WHAT the > > problem is and what their exposure is. NEVER put out a generic > > statement like this - it is almost as bad as hiding the problem > > entirely. > > > > While I agree with your sentiment almost entirely, keep in mind that > Rails is open source. The subversion repository is publicly available, > so, finding the diffs between two releases should be trivial. > > This has the consequence of making what you say seem a bit alarmist, and > making what DHH said seem a bit ridiculous. "No need to arm would be > assailants"? Man, that train has already left the station... > > Now, about the fact that dev.rubyonrails.org is down right > now...curiouser and curiouser :-) > > Regards, > > Danny Burkes > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Just because you ''re not paranoid doesn''t mean they aren''t out to get you.
Michael Modica
2006-Aug-10 07:11 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
Daniel Burkes wrote:>> Provide the details. COMMUNICATE to people so they know WHAT the >> problem is and what their exposure is. NEVER put out a generic >> statement like this - it is almost as bad as hiding the problem >> entirely. >> > > While I agree with your sentiment almost entirely, keep in mind that > Rails is open source. The subversion repository is publicly available, > so, finding the diffs between two releases should be trivial. > > This has the consequence of making what you say seem a bit alarmist, and > making what DHH said seem a bit ridiculous. "No need to arm would be > assailants"? Man, that train has already left the station... > > Now, about the fact that dev.rubyonrails.org is down right > now...curiouser and curiouser :-) > > Regards, > > Danny BurkesHi Danny, Not intentionally alarmist - what I mean is just give us a statement as to what the problem is. Yes, Rails is open source, but that doesn''t mean I want to spend time digging through versions of source to determine what changed to find the problem. That is time better spent somewhere else and an effort that should not have to be duplicated by all the people using rails. The fact that it is open should be all the more reason to just say "hey, here is the problem, here is the patch...now apply" instead of "there is a problem, here is the patch, apply." Plus, once people know what the problem was then they can assess their own data to determine if it was affected or not. So, what was the problem anyway? Since it is so easy to find via subversion then I''m curious to know if anyone would care to share what it was! Just my input! Michael -- Posted via http://www.ruby-forum.com/.
Nara Hari
2006-Aug-10 08:35 UTC
[Rails] [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
Hi, While I agree in the open source spirit that full information should be disclosed/made available...for the time being just to say there is a critical patch and apply it is THE safe option. IMHO. Consider the following: 1) How many patches from IIS/.NET are "pushed" into your system without even any information on what patch it is? 2) Also RoR is relatively new and many people are in the "let''s try or ain''t it cool?" mode, so if they have hosted some of the application, they don''t want to be caught unawares. Also with the RoR architecture of "freezing" your Rails version...you can easily upgrade yourself even if your shared hosting doesn''t have the latest patch. BUT, in the next weeks I would like to "really" know what was the security issue...not yet! Just my 2 cents! _Hari -- View this message in context: http://www.nabble.com/-ANN--DHH%27s-Post-on-Ruby-Talk----Rails-1.1.5%3A-Mandatory-security-patch-%28and-other-tidbits%29-tf2080917.html#a5740415 Sent from the RubyOnRails Users forum at Nabble.com.
Dick Davies
2006-Aug-10 10:10 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
On 10/08/06, Michael Modica <codeslush@yahoo.com> wrote:> So, what was the problem anyway? Since it is so easy to find via > subversion then I''m curious to know if anyone would care to share what > it was!If it''s stated here, then it might as well be on the blog. Bear in mind a lot of us are at the mercy of hosting providers to upgrade rails on the shared boxes (which requires a fair bit of co-ordination). If you don''t want to dig through the source, then wait for a week and you''ll be told exactly what went boom. -- Rasputin :: Jack of All Trades - Master of Nuns http://number9.hellooperator.net/
Dick Davies
2006-Aug-10 10:28 UTC
[Rails] [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory security patch (and other tidbits)
On 10/08/06, Jim Cheetham <jim@gonzul.net> wrote:> Newbie question; how do I tell what version of Rails I''m running on? > If Rails has been frozen into a tree, how do I tell what version that > tree is using?There''s a changelog in vendor/rails/railties/CHANGELOG (there also seems to be a variable Rails::VERSION::STRING , but that doesn''t seem to be easily visible from ./script/console -- Rasputin :: Jack of All Trades - Master of Nuns http://number9.hellooperator.net/
Paul Wright
2006-Aug-10 13:08 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
On 10/08/06, Daniel Burkes <dburkes@netable.com> wrote:> > Provide the details. COMMUNICATE to people so they know WHAT the > > problem is and what their exposure is. NEVER put out a generic > > statement like this - it is almost as bad as hiding the problem > > entirely. > > > > While I agree with your sentiment almost entirely, keep in mind that > Rails is open source. The subversion repository is publicly available, > so, finding the diffs between two releases should be trivial. > > This has the consequence of making what you say seem a bit alarmist, and > making what DHH said seem a bit ridiculous. "No need to arm would be > assailants"? Man, that train has already left the station...And in the interim would-be attackers are in no way hampered by the silence on this issue. Just doing a diff between the different gem versions is enough to hone in on the likely area of the code. So would it really hurt to mention in the announcement that it''s a SQL injection attack or a URL hack or a file upload issue or whatever so people would at least know what to look for? That way people could assess the risks / potential for harm for their specific application and help them put together a upgrade plan, instead of the "oh, shit, you need to upgrade NOW" warning. Running around blinding running ''gem install rails -y'' on all your servers doesn''t really instill confidence in the process. I accept this is the first (at least publicised) time rails has had any significant security issue so this is a learning process for most people.> Now, about the fact that dev.rubyonrails.org is down right > now...curiouser and curiouser :-)I think Trac has been down for quite a while recently but certainly doesn''t help matters. Paul.
Jan Prill
2006-Aug-10 14:03 UTC
[Rails] [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
Hi, the information what the security issue is already in the wild. A little research on the net and especially in chat rooms gives you the information in no time. On the mailing list of the ror user group in germany there already is a link to a site explaining what the issue seems to be. I don''t repeat it here since I''m respecting the decision of the core developers though I think there decision is plain wrong. IMHO making it a mystery is appealing the crowd to find the leak, regardless if it''s the good or the bad part of the crowd. Therefore I consider mystifying the issue harmful. Cheers, Jan On 8/10/06, Nara Hari <nhariraj@yahoo.com> wrote:> > > Hi, > > While I agree in the open source spirit that full information should be > disclosed/made available...for the time being just to say there is a > critical patch and apply it is THE safe option. IMHO. > > Consider the following: > 1) How many patches from IIS/.NET are "pushed" into your system without > even > any information on what patch it is? > 2) Also RoR is relatively new and many people are in the "let''s try or > ain''t > it cool?" mode, so if they have hosted some of the application, they don''t > want to be caught unawares. > > Also with the RoR architecture of "freezing" your Rails version...you can > easily upgrade yourself even if your shared hosting doesn''t have the > latest > patch. > > BUT, in the next weeks I would like to "really" know what was the security > issue...not yet! > > Just my 2 cents! > > _Hari > -- > View this message in context: > http://www.nabble.com/-ANN--DHH%27s-Post-on-Ruby-Talk----Rails-1.1.5%3A-Mandatory-security-patch-%28and-other-tidbits%29-tf2080917.html#a5740415 > Sent from the RubyOnRails Users forum at Nabble.com. > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/6219d98b/attachment.html
Surendra Singhi
2006-Aug-10 18:18 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
"Jan Prill" <jan.prill@gmail.com> writes:> > IMHO making it a mystery is appealing the crowd to find the leak, regardless > if it''s the good or the bad part of the crowd. Therefore I consider > mystifying the issue harmful. >There is a very good reason for keeping it hidden till people upgrade. You don''t want every Tom, Dick and Harry to know about it and try it on the various Rails websites. It is not a mystery for people who understand Rails code and can search the web. -- Surendra Singhi http://ssinghi.kreeti.com, http://www.kreeti.com Read my blog at: http://cuttingtheredtape.blogspot.com/ ,---- | "All animals are equal, but some animals are more equal than others." | -- Orwell, Animal Farm, 1945 `----
Bill Walton
2006-Aug-10 18:44 UTC
[Rails] [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatorysecurity patch (and other tidbits)
> This is a MANDATORY upgradeI''m wondering if the hosting companies supporting Rails (a2hosting, which I''m using, for example) have been contacted by the core team, or if we each need to contact the one(s) we''re individually using. What are the rest of you who are using shared hosting doing? Thanks, Bill
Michael Siebert
2006-Aug-10 19:15 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
think you should know that dhh, as he wrote yesterday, wrote about what the bug is in the ann of 1.1.6, so stop the hell bashing. suxx 2006/8/10, Surendra Singhi <efuzzyone@netscape.net>:> > "Jan Prill" <jan.prill@gmail.com> writes: > > > > IMHO making it a mystery is appealing the crowd to find the leak, > regardless > > if it''s the good or the bad part of the crowd. Therefore I consider > > mystifying the issue harmful. > > > There is a very good reason for keeping it hidden till people upgrade. You > don''t want every Tom, Dick and Harry to know about it and try it on the > various Rails websites. It is not a mystery for people who understand > Rails > code and can search the web. > > -- > Surendra Singhi > http://ssinghi.kreeti.com, http://www.kreeti.com > Read my blog at: http://cuttingtheredtape.blogspot.com/ > ,---- > | "All animals are equal, but some animals are more equal than others." > | -- Orwell, Animal Farm, 1945 > `---- > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Michael Siebert <info@siebert-wd.de> www.stellar-legends.de - Weltraum-Browsergame im Alpha-Stadium -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/e05029d7/attachment.html
Jan Prill
2006-Aug-10 19:39 UTC
[Rails] Re: [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory
Hi Surenda, it''s fully disclosed now, check the rails blog. IMHO it should have been from the beginning. Cheers, Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/98f4606b/attachment.html
Kyle Slattery
2006-Aug-10 20:23 UTC
[Rails] [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatorysecurity patch (and other tidbits)
I know Dreamhost has already upgraded to the newest (1.1.6) On 8/10/06, Bill Walton <bill.walton@charter.net> wrote:> > > This is a MANDATORY upgrade > > I''m wondering if the hosting companies supporting Rails (a2hosting, which > I''m using, for example) have been contacted by the core team, or if we > each > need to contact the one(s) we''re individually using. > > What are the rest of you who are using shared hosting doing? > > Thanks, > Bill > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/eafb8401/attachment.html
Ed Howland
2006-Aug-10 22:44 UTC
[Rails] [ANN] DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory security patch (and other tidbits)
On 8/9/06, Aaron Kulbe <akulbe@gmail.com> wrote:> rails -v to display the version.Also script/about And if you go to the default Welcome Aboard page and click "About your application''s environment" it will pop open a list of versions. Or http://localhost:3000/rails_info/properties In a console: Rails::VERSION::STRING "1.1.6" (At last, a question I can answer.) Ed -- Ed Howland http://greenprogrammer.blogspot.com
Possibly Parallel Threads
- Rails 1.1.5: Mandatory security patch (and other tidbits)
- [REQ] Document, post, DHH talk about "Why Rails ?"
- DHH''s dislike of high level components
- DHH''s Post on Ruby Talk -- Rails 1.1.6: Stronger fix, backports, and full disclosure
- Staying DRY -- can views share partials?