Rails - Aug 2006 - DHH''s Post on Ruby Talk -- Rails 1.1.5: Mandatory security patch (and other tidbits)

We''re still hard at work on Rails 1.2, which features all the new
dandy REST stuff and more, but a serious security concern has come to
our attention that needed to be addressed sooner than the release of
1.2 would allow. So here''s Rails 1.1.5!

This is a MANDATORY upgrade for anyone not running on a very recent
edge (which isn''t affected by this). If you have a public Rails site,
you MUST upgrade to Rails 1.1.5. The security issue is severe and you
do not want to be caught unpatched.

The issue is in fact of such a criticality that we''re not going to dig
into the specifics. No need to arm would-be assailants.

So upgrade today, not tomorrow. We''ve made sure that Rails 1.1.5 is
fully drop-in compatible with 1.1.4. It only includes a handful of bug
fixes and no new features.

For the third time: This is not like "sure, I should be flooshing my
teeth". This is "yes, I will wear my helmet as I try to go 100mph on a
motorcycle through downtown in rush hour". It''s not a suggestion,
it''s
a prescription. So get to it!

As always, the trick is to do "gem install rails" and then either
changing config/environment.rb, if you''re bound to gems, or do
"rake
rails:freeze:gems" if you''re freezing gems in vendor.

P.S.: If you run a major Rails site and for some reason are completely
unable to upgrade to 1.1.5, get in touch with the core team and we''ll
try to work with you on a solution.
--
David Heinemeier Hansson
http://www.loudthinking.com -- Broadcasting Brain
http://www.basecamphq.com -- Online project management
http://www.backpackit.com -- Personal information manager
http://www.rubyonrails.com -- Web-application framework


-- 
Posted with http://DevLists.com.  Sign up and save your mailbox.

Dale Martenson wrote:
> We''re still hard at work on Rails 1.2, which features all the new
> dandy REST stuff and more, but a serious security concern has come to
> our attention that needed to be addressed sooner than the release of
> 1.2 would allow. So here''s Rails 1.1.5!
> 
> This is a MANDATORY upgrade for anyone not running on a very recent
> edge (which isn''t affected by this). If you have a public Rails
site,
> you MUST upgrade to Rails 1.1.5. The security issue is severe and you
> do not want to be caught unpatched.
> 
> The issue is in fact of such a criticality that we''re not going to
dig
> into the specifics. No need to arm would-be assailants.
> 
> So upgrade today, not tomorrow. We''ve made sure that Rails 1.1.5
is
> fully drop-in compatible with 1.1.4. It only includes a handful of bug
> fixes and no new features.
> 
> For the third time: This is not like "sure, I should be flooshing my
> teeth". This is "yes, I will wear my helmet as I try to go 100mph
on a
> motorcycle through downtown in rush hour". It''s not a
suggestion, it''s
> a prescription. So get to it!
> 
> As always, the trick is to do "gem install rails" and then either
> changing config/environment.rb, if you''re bound to gems, or do
"rake
> rails:freeze:gems" if you''re freezing gems in vendor.
> 
> P.S.: If you run a major Rails site and for some reason are completely
> unable to upgrade to 1.1.5, get in touch with the core team and
we''ll
> try to work with you on a solution.
> --
> David Heinemeier Hansson
> http://www.loudthinking.com -- Broadcasting Brain
> http://www.basecamphq.com -- Online project management
> http://www.backpackit.com -- Personal information manager
> http://www.rubyonrails.com -- Web-application framework
I suppose this is like shooting the messenger but isn''t this like 
telling a kid not to touch a hot stove?  Serioulsy!

"The issue is in fact of such a criticality that we''re not going
to dig
into the specifics. No need to arm would-be assailants."

This WARRANTS full explanation!  If there is need enough to alarm the 
people that use the product then there is certainly a need to provide 
disclosure of some sort of what the problem is.

This "attitude" to some degree diminishes the value of Rails.  It 
suddenly took a very cool framework and set it back because of the 
unprofessional way in which a problem was handled.  I firmly believe 
that you can judge a company (or person or product) not by the way they 
handle things when things are going well, but by the way they handle 
things when things go wrong.  In business, and life, things go wrong. 
Handle it properly.  This is not the proper way to handle an issue as 
serious as it sounds.

Provide the details.  COMMUNICATE to people so they know WHAT the 
problem is and what their exposure is.  NEVER put out a generic 
statement like this - it is almost as bad as hiding the problem 
entirely.

If I were hosting a site somewhere or had a true "web app" I would be 
scared as hell right now.  DHH, Rails contributors and others should be 
providing much more information than this.  Right now, people have a 
"need to know" as well as a "right to know" without having
to sift
through diffs to determine what happened.

I suspect much bad publicity is going to come from this.  Tackle the 
bull head-on - you can''t hide what people will figure out anyway.

Michael

-- 
Posted via http://www.ruby-forum.com/.

On Thursday, August 10, 2006, at 4:29 AM, Michael Modica
wrote:
>Dale Martenson wrote:
>> We''re still hard at work on Rails 1.2, which features all the
new
>> dandy REST stuff and more, but a serious security concern has come to
>> our attention that needed to be addressed sooner than the release of
>> 1.2 would allow. So here''s Rails 1.1.5!
>>
>> This is a MANDATORY upgrade for anyone not running on a very recent
>> edge (which isn''t affected by this). If you have a public
Rails site,
>> you MUST upgrade to Rails 1.1.5. The security issue is severe and you
>> do not want to be caught unpatched.
>>
>> The issue is in fact of such a criticality that we''re not
going to dig
>> into the specifics. No need to arm would-be assailants.
>>
>> So upgrade today, not tomorrow. We''ve made sure that Rails
1.1.5 is
>> fully drop-in compatible with 1.1.4. It only includes a handful of bug
>> fixes and no new features.
>>
>> For the third time: This is not like "sure, I should be flooshing
my
>> teeth". This is "yes, I will wear my helmet as I try to go
100mph on a
>> motorcycle through downtown in rush hour". It''s not a
suggestion, it''s
>> a prescription. So get to it!
>>
>> As always, the trick is to do "gem install rails" and then
either
>> changing config/environment.rb, if you''re bound to gems, or do
"rake
>> rails:freeze:gems" if you''re freezing gems in vendor.
>>
>> P.S.: If you run a major Rails site and for some reason are completely
>> unable to upgrade to 1.1.5, get in touch with the core team and
we''ll
>> try to work with you on a solution.
>> --
>> David Heinemeier Hansson
>> http://www.loudthinking.com -- Broadcasting Brain
>> http://www.basecamphq.com -- Online project management
>> http://www.backpackit.com -- Personal information manager
>> http://www.rubyonrails.com -- Web-application framework
>
>I suppose this is like shooting the messenger but isn''t this like
>telling a kid not to touch a hot stove?  Serioulsy!
>
>"The issue is in fact of such a criticality that we''re not
going to dig
>into the specifics. No need to arm would-be assailants."
>
>This WARRANTS full explanation!  If there is need enough to alarm the
>people that use the product then there is certainly a need to provide
>disclosure of some sort of what the problem is.
>
>This "attitude" to some degree diminishes the value of Rails.  It
>suddenly took a very cool framework and set it back because of the
>unprofessional way in which a problem was handled.  I firmly believe
>that you can judge a company (or person or product) not by the way they
>handle things when things are going well, but by the way they handle
>things when things go wrong.  In business, and life, things go wrong.
>Handle it properly.  This is not the proper way to handle an issue as
>serious as it sounds.
>
>Provide the details.  COMMUNICATE to people so they know WHAT the
>problem is and what their exposure is.  NEVER put out a generic
>statement like this - it is almost as bad as hiding the problem
>entirely.
>
>If I were hosting a site somewhere or had a true "web app" I would
be
>scared as hell right now.  DHH, Rails contributors and others should be
>providing much more information than this.  Right now, people have a
>"need to know" as well as a "right to know" without
having to sift
>through diffs to determine what happened.
>
>I suspect much bad publicity is going to come from this.  Tackle the
>bull head-on - you can''t hide what people will figure out anyway.
>
>Michael
>
>--
>Posted via http://www.ruby-forum.com/.
>_______________________________________________
>Rails mailing list
>Rails@lists.rubyonrails.org
>http://lists.rubyonrails.org/mailman/listinfo/rails
A similar discussion cropped up on the Ruby list where this was first  
announced.  It seems that the consensus on this was to: "update first,  
ask questions later".

There is a need to allow people time to roll out the security fixes  
before discussing the details of what they are.

It is my understanding that an explanation will be forthcoming, but now  
is not the time for it.

So... don''t panic.  Just upgrade to 1.1.5 ASAP if you have a rails app
out there.

_Kevin
www.sciwerks.com

-- 
Posted with http://DevLists.com.  Sign up and save your mailbox.

Michael,

This post does not help in any way. I expect within the next week a
full explanation of what was wrong, why it was wrong and how it was
fixed will be published. This is pretty close to the way it SHOULD
work. Give as little amo as possible to the script kiddies out there
while the professionals upgrade their systems. After the professionals
have had sufficient time to upgrade, then tell the world what the
problem was. The code is open, so if you want to explore what was
changed between versions feel free. Again, they are trying to make it
a little more difficult for those who seek to do harm.

So, hop in the car, drive to Starbucks, indulge in some overpriced
coffee and chill out. At least a fix was published immediately and we
didn''t have to wait til the first Tuesday of next month for it to be
released.

Carl

On 8/9/06, Michael Modica <codeslush@yahoo.com>
wrote:
> Dale Martenson wrote:
> > We''re still hard at work on Rails 1.2, which features all the
new
> > dandy REST stuff and more, but a serious security concern has come to
> > our attention that needed to be addressed sooner than the release of
> > 1.2 would allow. So here''s Rails 1.1.5!
> >
> > This is a MANDATORY upgrade for anyone not running on a very recent
> > edge (which isn''t affected by this). If you have a public
Rails site,
> > you MUST upgrade to Rails 1.1.5. The security issue is severe and you
> > do not want to be caught unpatched.
> >
> > The issue is in fact of such a criticality that we''re not
going to dig
> > into the specifics. No need to arm would-be assailants.
> >
> > So upgrade today, not tomorrow. We''ve made sure that Rails
1.1.5 is
> > fully drop-in compatible with 1.1.4. It only includes a handful of bug
> > fixes and no new features.
> >
> > For the third time: This is not like "sure, I should be flooshing
my
> > teeth". This is "yes, I will wear my helmet as I try to go
100mph on a
> > motorcycle through downtown in rush hour". It''s not a
suggestion, it''s
> > a prescription. So get to it!
> >
> > As always, the trick is to do "gem install rails" and then
either
> > changing config/environment.rb, if you''re bound to gems, or
do "rake
> > rails:freeze:gems" if you''re freezing gems in vendor.
> >
> > P.S.: If you run a major Rails site and for some reason are completely
> > unable to upgrade to 1.1.5, get in touch with the core team and
we''ll
> > try to work with you on a solution.
> > --
> > David Heinemeier Hansson
> > http://www.loudthinking.com -- Broadcasting Brain
> > http://www.basecamphq.com -- Online project management
> > http://www.backpackit.com -- Personal information manager
> > http://www.rubyonrails.com -- Web-application framework
>
> I suppose this is like shooting the messenger but isn''t this like
> telling a kid not to touch a hot stove?  Serioulsy!
>
> "The issue is in fact of such a criticality that we''re not
going to dig
> into the specifics. No need to arm would-be assailants."
>
> This WARRANTS full explanation!  If there is need enough to alarm the
> people that use the product then there is certainly a need to provide
> disclosure of some sort of what the problem is.
>
> This "attitude" to some degree diminishes the value of Rails.  It
> suddenly took a very cool framework and set it back because of the
> unprofessional way in which a problem was handled.  I firmly believe
> that you can judge a company (or person or product) not by the way they
> handle things when things are going well, but by the way they handle
> things when things go wrong.  In business, and life, things go wrong.
> Handle it properly.  This is not the proper way to handle an issue as
> serious as it sounds.
>
> Provide the details.  COMMUNICATE to people so they know WHAT the
> problem is and what their exposure is.  NEVER put out a generic
> statement like this - it is almost as bad as hiding the problem
> entirely.
>
> If I were hosting a site somewhere or had a true "web app" I
would be
> scared as hell right now.  DHH, Rails contributors and others should be
> providing much more information than this.  Right now, people have a
> "need to know" as well as a "right to know" without
having to sift
> through diffs to determine what happened.
>
> I suspect much bad publicity is going to come from this.  Tackle the
> bull head-on - you can''t hide what people will figure out anyway.
>
> Michael
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

On Wed, Aug 09, 2006 at 07:24:26PM -0000, Dale Martenson
wrote:
> This is a MANDATORY upgrade for anyone not running on a very recent
> edge (which isn''t affected by this). If you have a public Rails
site,
> you MUST upgrade to Rails 1.1.5. The security issue is severe and you
> do not want to be caught unpatched.
Newbie question; how do I tell what version of Rails I''m running on?
If Rails has been frozen into a tree, how do I tell what version that
tree is using?
> The issue is in fact of such a criticality that we''re not going to
dig
> into the specifics. No need to arm would-be assailants.
Full disclosure? Seriously; it''s not much work for someone to diff
1.1.4
with 1.1.5 and work out what the fix was (well, someone who knows Ruby,
that is).

How can I determine wether my exposed web services are vulnerable or
not?

-jim

This is totally correct.  The only issue is whether a patch for the  
1.0 branch gets released soon.



On Aug 9, 2006, at 9:27 PM, Carl Fyffe wrote:
> This post does not help in any way. I expect within the next week a
> full explanation of what was wrong, why it was wrong and how it was
> fixed will be published. This is pretty close to the way it SHOULD
> work. Give as little amo as possible to the script kiddies out there
> while the professionals upgrade their systems. After the professionals
> have had sufficient time to upgrade, then tell the world what the
> problem was. The code is open, so if you want to explore what was
> changed between versions feel free. Again, they are trying to make it
> a little more difficult for those who seek to do harm.
>
> So, hop in the car, drive to Starbucks, indulge in some overpriced
> coffee and chill out. At least a fix was published immediately and we
> didn''t have to wait til the first Tuesday of next month for it to
be
> released.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/907adc92/attachment.html

rails -v to display the version.

On 8/9/06, Jim Cheetham <jim@gonzul.net> wrote:
>
> On Wed, Aug 09, 2006 at 07:24:26PM -0000, Dale Martenson wrote:
> > This is a MANDATORY upgrade for anyone not running on a very recent
> > edge (which isn''t affected by this). If you have a public
Rails site,
> > you MUST upgrade to Rails 1.1.5. The security issue is severe and you
> > do not want to be caught unpatched.
>
> Newbie question; how do I tell what version of Rails I''m running
on?
> If Rails has been frozen into a tree, how do I tell what version that
> tree is using?
>
> > The issue is in fact of such a criticality that we''re not
going to dig
> > into the specifics. No need to arm would-be assailants.
>
> Full disclosure? Seriously; it''s not much work for someone to diff
1.1.4
> with 1.1.5 and work out what the fix was (well, someone who knows Ruby,
> that is).
>
> How can I determine wether my exposed web services are vulnerable or
> not?
>
> -jim
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/8824a13a/attachment.html

> how do I tell what version of Rails I''m running on?
prompt > rails -v

Also you can boot your app and check out the default rails page from the
localhost.  It will give you the gem version that the current app is
running.

On 8/9/06, Jim Cheetham <jim@gonzul.net> wrote:
>
> On Wed, Aug 09, 2006 at 07:24:26PM -0000, Dale Martenson wrote:
> > This is a MANDATORY upgrade for anyone not running on a very recent
> > edge (which isn''t affected by this). If you have a public
Rails site,
> > you MUST upgrade to Rails 1.1.5. The security issue is severe and you
> > do not want to be caught unpatched.
>
> Newbie question; how do I tell what version of Rails I''m running
on?
> If Rails has been frozen into a tree, how do I tell what version that
> tree is using?
>
> > The issue is in fact of such a criticality that we''re not
going to dig
> > into the specifics. No need to arm would-be assailants.
>
> Full disclosure? Seriously; it''s not much work for someone to diff
1.1.4
> with 1.1.5 and work out what the fix was (well, someone who knows Ruby,
> that is).
>
> How can I determine wether my exposed web services are vulnerable or
> not?
>
> -jim
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


-- 
Ben Reubenstein
303-947-0446
http://www.benr75.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/03e34526/attachment.html

> Provide the details.  COMMUNICATE to people so they know WHAT the 
> problem is and what their exposure is.  NEVER put out a generic 
> statement like this - it is almost as bad as hiding the problem 
> entirely.
> 
While I agree with your sentiment almost entirely, keep in mind that 
Rails is open source.  The subversion repository is publicly available, 
so, finding the diffs between two releases should be trivial.

This has the consequence of making what you say seem a bit alarmist, and 
making what DHH said seem a bit ridiculous.  "No need to arm would be 
assailants"?  Man, that train has already left the station...

Now, about the fact that dev.rubyonrails.org is down right 
now...curiouser and curiouser :-)

Regards,

Danny Burkes

-- 
Posted via http://www.ruby-forum.com/.

Rather well said Daniel

On 8/10/06, Daniel Burkes <dburkes@netable.com>
wrote:
> > Provide the details.  COMMUNICATE to people so they know WHAT the
> > problem is and what their exposure is.  NEVER put out a generic
> > statement like this - it is almost as bad as hiding the problem
> > entirely.
> >
>
> While I agree with your sentiment almost entirely, keep in mind that
> Rails is open source.  The subversion repository is publicly available,
> so, finding the diffs between two releases should be trivial.
>
> This has the consequence of making what you say seem a bit alarmist, and
> making what DHH said seem a bit ridiculous.  "No need to arm would be
> assailants"?  Man, that train has already left the station...
>
> Now, about the fact that dev.rubyonrails.org is down right
> now...curiouser and curiouser :-)
>
> Regards,
>
> Danny Burkes
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

-- 

Just because you ''re not paranoid doesn''t
mean they aren''t out to get you.

Daniel Burkes wrote:
>> Provide the details.  COMMUNICATE to people so they know WHAT the 
>> problem is and what their exposure is.  NEVER put out a generic 
>> statement like this - it is almost as bad as hiding the problem 
>> entirely.
>> 
> 
> While I agree with your sentiment almost entirely, keep in mind that 
> Rails is open source.  The subversion repository is publicly available, 
> so, finding the diffs between two releases should be trivial.
> 
> This has the consequence of making what you say seem a bit alarmist, and 
> making what DHH said seem a bit ridiculous.  "No need to arm would be 
> assailants"?  Man, that train has already left the station...
> 
> Now, about the fact that dev.rubyonrails.org is down right 
> now...curiouser and curiouser :-)
> 
> Regards,
> 
> Danny Burkes
Hi Danny,

Not intentionally alarmist - what I mean is just give us a statement as 
to what the problem is.  Yes, Rails is open source, but that doesn''t 
mean I want to spend time digging through versions of source to 
determine what changed to find the problem.  That is time better spent 
somewhere else and an effort that should not have to be duplicated by 
all the people using rails.  The fact that it is open should be all the 
more reason to just say "hey, here is the problem, here is the 
patch...now apply" instead of "there is a problem, here is the patch, 
apply."  Plus, once people know what the problem was then they can 
assess their own data to determine if it was affected or not.

So, what was the problem anyway?  Since it is so easy to find via 
subversion then I''m curious to know if anyone would care to share what 
it was!

Just my input!

Michael

-- 
Posted via http://www.ruby-forum.com/.

Hi,

While I agree in the open source spirit that full information should be
disclosed/made available...for the time being just to say there is a
critical patch and apply it is THE safe option. IMHO.

Consider the following:
1) How many patches from IIS/.NET are "pushed" into your system
without even
any information on what patch it is?
2) Also RoR is relatively new and many people are in the "let''s
try or ain''t
it cool?" mode, so if they have hosted some of the application, they
don''t
want to be caught unawares.

Also with the RoR architecture of "freezing" your Rails version...you
can
easily upgrade yourself even if your shared hosting doesn''t have the
latest
patch.

BUT, in the next weeks I would like to "really" know what was the
security
issue...not yet!

Just my 2 cents!

_Hari
-- 
View this message in context:
http://www.nabble.com/-ANN--DHH%27s-Post-on-Ruby-Talk----Rails-1.1.5%3A-Mandatory-security-patch-%28and-other-tidbits%29-tf2080917.html#a5740415
Sent from the RubyOnRails Users forum at Nabble.com.

On 10/08/06, Michael Modica <codeslush@yahoo.com> wrote:
> So, what was the problem anyway?  Since it is so easy to find via
> subversion then I''m curious to know if anyone would care to share
what
> it was!
If it''s stated here, then it might as well be on the blog.

Bear in mind a lot of us are at the mercy of hosting providers to
upgrade rails on the shared boxes (which requires a fair bit of co-ordination).

If you don''t want to dig through the source, then wait for a week and
you''ll be told exactly what went boom.


-- 
Rasputin :: Jack of All Trades - Master of Nuns
http://number9.hellooperator.net/

On 10/08/06, Jim Cheetham <jim@gonzul.net> wrote:
> Newbie question; how do I tell what version of Rails I''m running
on?
> If Rails has been frozen into a tree, how do I tell what version that
> tree is using?
There''s a changelog in

vendor/rails/railties/CHANGELOG

(there also seems to be a variable Rails::VERSION::STRING , but
that doesn''t seem to be easily visible from ./script/console

-- 
Rasputin :: Jack of All Trades - Master of Nuns
http://number9.hellooperator.net/

On 10/08/06, Daniel Burkes <dburkes@netable.com>
wrote:
> > Provide the details.  COMMUNICATE to people so they know WHAT the
> > problem is and what their exposure is.  NEVER put out a generic
> > statement like this - it is almost as bad as hiding the problem
> > entirely.
> >
>
> While I agree with your sentiment almost entirely, keep in mind that
> Rails is open source.  The subversion repository is publicly available,
> so, finding the diffs between two releases should be trivial.
>
> This has the consequence of making what you say seem a bit alarmist, and
> making what DHH said seem a bit ridiculous.  "No need to arm would be
> assailants"?  Man, that train has already left the station...
And in the interim would-be attackers are in no way hampered by the
silence on this issue.  Just doing a diff between the different gem
versions is enough to hone in on the likely area of the code.  So
would it really hurt to mention in the announcement that it''s a SQL
injection attack or a URL hack or a file upload issue or whatever so
people would at least know what to look for?

That way people could assess the risks / potential for harm for their
specific application and help them put together a upgrade plan,
instead of the "oh, shit, you need to upgrade NOW" warning.  Running
around blinding running ''gem install rails -y'' on all your
servers
doesn''t really instill confidence in the process. I accept this is the
first (at least publicised) time rails has had any significant
security issue so this is a learning process for most people.
> Now, about the fact that dev.rubyonrails.org is down right
> now...curiouser and curiouser :-)
I think Trac has been down for quite a while recently but certainly
doesn''t help matters.

Paul.

Hi,

the information what the security issue is already in the wild. A little
research on the net and especially in chat rooms gives you the information
in no time. On the mailing list of the ror user group in germany there
already is a link to a site explaining what the issue seems to be. I
don''t
repeat it here since I''m respecting the decision of the core developers
though I think there decision is plain wrong.

IMHO making it a mystery is appealing the crowd to find the leak, regardless
if it''s the good or the bad part of the crowd. Therefore I consider
mystifying the issue harmful.

Cheers,
Jan

On 8/10/06, Nara Hari <nhariraj@yahoo.com> wrote:
>
>
> Hi,
>
> While I agree in the open source spirit that full information should be
> disclosed/made available...for the time being just to say there is a
> critical patch and apply it is THE safe option. IMHO.
>
> Consider the following:
> 1) How many patches from IIS/.NET are "pushed" into your system
without
> even
> any information on what patch it is?
> 2) Also RoR is relatively new and many people are in the
"let''s try or
> ain''t
> it cool?" mode, so if they have hosted some of the application, they
don''t
> want to be caught unawares.
>
> Also with the RoR architecture of "freezing" your Rails
version...you can
> easily upgrade yourself even if your shared hosting doesn''t have
the
> latest
> patch.
>
> BUT, in the next weeks I would like to "really" know what was the
security
> issue...not yet!
>
> Just my 2 cents!
>
> _Hari
> --
> View this message in context:
>
http://www.nabble.com/-ANN--DHH%27s-Post-on-Ruby-Talk----Rails-1.1.5%3A-Mandatory-security-patch-%28and-other-tidbits%29-tf2080917.html#a5740415
> Sent from the RubyOnRails Users forum at Nabble.com.
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/6219d98b/attachment.html

"Jan Prill" <jan.prill@gmail.com>
writes:
>
> IMHO making it a mystery is appealing the crowd to find the leak,
regardless
> if it''s the good or the bad part of the crowd. Therefore I
consider
> mystifying the issue harmful.
>
There is a very good reason for keeping it hidden till people upgrade. You
don''t want every Tom, Dick and Harry to know about it and try it on the
various Rails websites. It is not a mystery for people who understand Rails
code and can search the web.

-- 
Surendra Singhi
http://ssinghi.kreeti.com, http://www.kreeti.com
Read my blog at: http://cuttingtheredtape.blogspot.com/
,----
| "All animals are equal, but some animals are more equal than
others."
|     -- Orwell, Animal Farm, 1945
`----

> This is a MANDATORY upgrade
I''m wondering if the hosting companies supporting Rails (a2hosting,
which
I''m using, for example) have been contacted by the core team, or if we
each
need to contact the one(s) we''re individually using.

What are the rest of you who are using shared hosting doing?

Thanks,
Bill

think you should know that dhh, as he wrote yesterday, wrote about what the
bug is in the ann of 1.1.6, so stop the hell bashing. suxx

2006/8/10, Surendra Singhi
<efuzzyone@netscape.net>:
>
> "Jan Prill" <jan.prill@gmail.com> writes:
> >
> > IMHO making it a mystery is appealing the crowd to find the leak,
> regardless
> > if it''s the good or the bad part of the crowd. Therefore I
consider
> > mystifying the issue harmful.
> >
> There is a very good reason for keeping it hidden till people upgrade. You
> don''t want every Tom, Dick and Harry to know about it and try it
on the
> various Rails websites. It is not a mystery for people who understand
> Rails
> code and can search the web.
>
> --
> Surendra Singhi
> http://ssinghi.kreeti.com, http://www.kreeti.com
> Read my blog at: http://cuttingtheredtape.blogspot.com/
> ,----
> | "All animals are equal, but some animals are more equal than
others."
> |     -- Orwell, Animal Farm, 1945
> `----
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


-- 
Michael Siebert <info@siebert-wd.de>

www.stellar-legends.de - Weltraum-Browsergame im Alpha-Stadium
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/e05029d7/attachment.html

Hi Surenda,

it''s fully disclosed now, check the rails blog. IMHO it should have
been
from the beginning.

Cheers,
Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/98f4606b/attachment.html

I know Dreamhost has already upgraded to the newest (1.1.6)

On 8/10/06, Bill Walton <bill.walton@charter.net>
wrote:
>
> > This is a MANDATORY upgrade
>
> I''m wondering if the hosting companies supporting Rails
(a2hosting, which
> I''m using, for example) have been contacted by the core team, or
if we
> each
> need to contact the one(s) we''re individually using.
>
> What are the rest of you who are using shared hosting doing?
>
> Thanks,
> Bill
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060810/eafb8401/attachment.html

On 8/9/06, Aaron Kulbe <akulbe@gmail.com> wrote:
> rails -v to display the version.
Also script/about

And if you go to the default Welcome Aboard page and click "About your
 application''s environment" it will pop open a list of versions.

Or http://localhost:3000/rails_info/properties

In a console:
   Rails::VERSION::STRING

"1.1.6"

(At last, a question I can answer.)

Ed


-- 
Ed Howland
http://greenprogrammer.blogspot.com