Major Security Hole Found In Rails

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

Major Security Hole Found In Rails

[kjart]

...and hundreds die in the resulting crash. When interviewed later the conductor said that he wishes he was told where the hole was so he could've stopped the train in time.

Re: Major Security Hole Found In Rails

[jkrise]

Don't you find it odd that the conductor is alive and kicking, while hundreds of passengers died? I thought this scenario exists only in the software world, where the vendor escapes scot-free after defective software crashes his cutomers' systems...

Re: Major Security Hole Found In Rails

[neonprimetime]

I see it all the time in real life. Drunk Driver survives but kills family. No brain, no pain I guess.

Re: Major Security Hole Found In Rails

[Anonymous Coward]

It's probably urban legend but when I was a child, my parents told me that the safest place to be on a bus is precisely behind the bus driver. The reason? If the bus is heading towards danger, the bus driver will instinctly try to steer *away* from personal danger, and because of inertia (as you swing around) that would logically put the rest of the bus directly in the path of danger. As a child, I looked at the news with curiosity to see if this was true. Curiously, at least in my area, it did seem that bu

Re: Major Security Hole Found In Rails

[GGardner]

Maybe this has something to do with the fact that the bus driver is usually the only one wearing a seatbelt?

Re: Major Security Hole Found In Rails

[flurdy]

If they are dont want to say what is wrong, im more inclined to believe the website itself has been hacked and the security flaw, troan etc, is in the latest release.

All spam say: Upgrade immidietly, click here etc. without really saying why.

Re: Major Security Hole Found In Rails

[elbenito69]

Sounds a lot like Amtrak...

Re: Major Security Hole Found In Rails

[Anonymous Coward]

Why did the conductor need to know where exactly the hole was? He was told just to stop the train ASAP!

Kids are so lazy those days...

[Anonymous Coward]

reviewing the diff between the versions, this is what I found:

1. a new test at rails/vendor/rails/activerecord/test/base_test.rb for SQL injections on ActiveRecord::Base.find

2. in the changelog for actionpack, we have:

* Added ActionController.filter_parameter_logging that makes it easy to remove passwords, credit card numbers, and other sensitive information from being logged when a request is handled. #1897 [jeremye@bsa.ca.gov]

So, I'd say the problem is on some of those.

Re: Major Security Hole Found In Rails

[m0rph3us0]

They should have been made of Rearden metal and this would not have happend.

Diff?

[KiloByte]

Upgrading to version 1.1.5 is extremely urgent. [...] The rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed."

Well, well. I'm not that afraid of kiddies who lack the clue to run diff.

Re:Diff?

[TubeSteak]

Get Your Source Code Here

http://rubyforge.org/frs/?group_id=307 [rubyforge.org]

Re:Diff?

[Steeltoe]

Get Your Source Code Here

http://rubyforge.org/frs/?group_id=307 [rubyforge.org]

So "Security through Obscurity" wins after all?

Great... Just great....

You better be quick though, to beat my nightly apt-get. ;)

Idea coming in: Distros should get the changes FIRST, then the developers announce it 1 day afterwards.. That would be perfect :D

Re:Diff?

[CastrTroy]

The thing is, when you find a hole, the only safe assumption is to assume that the black hats already know about it. This means that you should get your fix out as soon as possible, to as many people as possible. You could pass on the changes to the major distros first, but that doesn't mean that they will make it available to their users right away. It make take a couple weeks before they complete testing and integration and who knows, they may never release it to their users. By releasing the fix direc

Re:Diff?

[HiThere]

Running diff will tell what changes they made. You'll still need to figure out the exploit.

P.S.: All security is security either through obscurity or through immutability. And immutabilities limits what you can do. But if you rely on obscurity it better REALLY be obscure, or you had better only rely on it for a short period of time.

Re:Diff?

[Anonymous Coward]

You can run diff, but it looks liked the cleverly (depending how you look at it) renamed a bunch of the files to make a simple "diff -r" useless.

Seems to be a SQL injection sploit

[molarmass192]

Diff-ing shows some new tests on Topic.find, including this aptly named test: test_sql_injection_via_find

Re:Seems to be a SQL injection sploit

[cdcarter]

It's not, in IRC we were able to figure it out because of employer concerns.

Re:Seems to be a SQL injection sploit

[Pollardito]

that's what they get for too-precise naming of functions. they should have named it nothing_to_see_here_move_along for the first week of release until people had patched...

Re:Diff?

[Vexorian]

Someguys release automatic exploit script once a vulnerability is found, then they release it on sites that are full of script kiddies.

Re:Diff?

[mcrbids]

Well, well. I'm not that afraid of kiddies who lack the clue to run diff.

diff?

Wow! What a cool tool! Now I know where to get started!

How few?

[thePowerOfGrayskull]

It's kind of interesting to know how many (or few) will be affected by this. I know several people who 'play' with Ruby as a fun new toy, but I know of few if any large-scale, high-traffic sites that use it.

Re:How few?

[trickster721]

Penny Arcade runs on it... occasionally.

Re:How few?

[cortana]

Have they fixed their archives yet?

Funny / True

[yem]

Penny Arcade is the worst advertisement for Rails there is.
I'm surprised the 37 signals guys haven't done a freebie consulting job to get their shit straight.
(or maybe they have and PA is a simply realistic example of RoR under load...)

Re:Funny / True

[geniusj]

Most of that site is statically generated from rails, so Rails itself shouldn't be under much load.

Re:Funny / True

[I Like Pudding]

> Penny Arcade is the worst advertisement for Rails there is.

Agreed. Whoever wrote that didn't get site nav working properly. Site nav. For a web comic. Hard to blame the ability to *GASP* move back and forward in a linear dataset on Rails.

Re:Funny / True

[I Like Pudding]

...which is why they are winning all sorts of awards and getting all sorts of buzz for Basecamp, right?

Re:Funny / True

[Achromatic1978]

"Web 2.0!" "RoR!" "Web 2.0!" "VC!" "Web 2.0!" "Rounded corners!" "Gradients!" "Web 2.0!" "Jeff Bezos!" - they make a lot of good points about "doing less, better", but are occasionally far too militant about it.

Mind you, DeviantArt (in my opinion) completely fucked it's Version 5 relaunch by - in their own words - "adding many many many new features", and being determined to release on the site's anniversary, come hell or high water (or in this case, half baked features) - the bug list is LONG, and include

Re:Funny / True

[Mongoose Disciple]

I've not used Basecamp, but I have seen it - I've used Ta-da lists, and whilst functional, it /feels/ overly amateur and unpolished.

As someone currently using Basecamp, you're not far off.

Don't get me wrong -- it's good for what it is, and the price is right. That said, I'd give good odds that in two years, something similar and better will occupy Basecamp's market and mindshare. Sometimes, positive buzz is good for a product; other times, it primarily serves to draw the attention of those able to

Re:How few?

[Daytona955i]

Including:
http://www.rubyonrails.org/index.php [rubyonrails.org]

I still get a kick out of that.

Re:How few?

[ComaVN]

I think the rationale behind that one is that the site was made before rails was ready for prime time, and afterwards there was no compelling reason for a rewrite.

Sounds perfectly pragmatic to me.

Re:How few?

[Breakfast Pants]

Yeah, because the Rails people suck so bad at marketting.

Re:How few?

[WWWWolf]

index.php this, index.php that... well, you know, it doesn't have to mean darn, we have this thing called "mod_rewrite" these days... =) And RoR website does use Rails apps, at least Typo and Instiki (I think).

But seriously, I wish there was a real Rails-based CMS there's Typo, which is more of a blogware than a general-purpose CMS, and I don't have any idea if we have anything quite comparable to, say, Drupal...

Re:How few?

[Daytona955i]

Yes, I understand there's a thing called mod_rewrite but why would you want to make it look like you were running PHP when you are trying to promote rails? It would be like Microsoft changing their server responses to indicate that they were running Linux.

If you really want a general-purpose CMS then write one. I mean if all the hype of Rails is true, anyone should be able to whip one up in a few hours.

Re:How few?

[An Onerous Coward]

You mean "if all the most drooling, newbie hype is true." A full-featured CMS is a complex thing, and while Rails gives you lots of "damn that was easy" moments, the people who would seriously claim that you should be able to write one in a few hours haven't done much beyond watching the screencasts. I think the screencasts were something of a mistake, because all they can really do in ten or fifteen minutes is show off the scaffolding.

Re:How few?

[An Onerous Coward]

Disclaimer: I'm working on my own, rather minimalistic CMS in Rails. I'm probably a couple of weeks into it. If it really is possible to do a CMS in "a few hours" then my ego is in for a bruising.

Re:How few?

[Pollardito]

they're also editing the headers then :

Server: Apache/2.2.2 (FreeBSD) mod_ssl/2.2.2 OpenSSL/0.9.8b DAV/2 PHP/5.1.4 SVN/1.3.2 mod_vd/2.0 mod_fastcgi/2.4.2 proxy_html/2.5
X-Powered-By: PHP/5.1.4

that's a lot of steps to go through to convince people that you're not using your own product

Re:How few?

[thePowerOfGrayskull]

You read much into a comment that was simply an honest question. And your right, I probably should've distinguished between Ruby & Ruby on Rails.

meanwhile...

[advocate_one]

the hackers are busy diffing the new release against the previous release to determine exactly what the hole was...

Re:meanwhile...

[CastrTroy]

Yeah, when you have the source code, it wouldn't be hard to compare 1 release to the next to find the holes that are there. Possibly even with some comments like, "Here's the big gaping hole we fixed". That's why it's important to update as fast as possible. Which is all good and fine in a personal environment, but when you're talking enterprise, there's a lot of work that goes into making sure that the new version will work exactly as expected. There's a reason that not everyone is running Apache2 yet, it's more work to upgrade than it is to keep the status quo. I wouldn't put an enterprise app on rails just yet. It's still too young. There's much more mature platforms out there that are just as good if not better. I'd wait at least 2 more years before starting development on rails.

Re:meanwhile...

[QuantumG]

As if they didn't already know. I remember back in '98 when the whitehat community just stopped looking for security flaws in the Linux kernel because it was just too damn easy to find em. Then we had the short lived anti-sec movement which actively encouraged blackhats to look for exploits and stockpile them. Ahh, thems were the days.

Re:meanwhile...

[HiThere]

No. I don't remember it. And in '98 I was starting to get interested in Linux. So it definitely wasn't a high profile action on anybody's part.

too late

[verystoned]

patriotichackers ( some Kurdish d00d's ) have been mass defacing sites all night. yup. vi and apache baby.

Re:too late

[verystoned]

Hey chiwawa they took down the barry anderson show.

Re:too late

[HamOpMW]

You mean vim right?

Re:too late

[WilliamSChips]

No, just a world that realizes that vim is superior. *kills you then revives with sarcophagus*

RoR lacks maturity

[bloodredsun]

This is an example of why many major industries stay away from the "bleeding-edge" of tech products.

Only when something has been in the market long enough for people to find the holes, either by internal testing or by discovery of in-the-wild exploits can it be considered for the "higher" end of the market. It's unfortunate that it has happened to Rails, which is a great framework but it's another reason to staty with the more established web frameworks such as JSP/Struts.

Re:RoR lacks maturity

[flipper65]

One does not have anything to do with the other. Admittedly, DHH and crew could have handled the announcement better, but there is no major framework or application or OS for that matter that does not have security updates and vulnerabilities. I believe that Tomcat 3.2.1 and 3.1.1 were both security releases. This was the first event of this type for Rails, there will be others just as there have been for PHP, Struts, Django, etc. Everyone just needs to take a breath, patch and move forward.

Mod parent insightful

[Eivind Eklund]

There is very little correspondence between software age and number of security holes. If anything, the correspondence is that newer software has less security issues. I think that's because it hasn't had the time to acquire baroque code.

Eivind.

Re:Mod parent insightful

[John Nowak]

You're looking for the word "correlation", not "correspondence".

Re:Mod parent insightful

[Unequivocal]

I think he actually meant what he said: correspondence [m-w.com]. He could have said "correlation" and made the same point, and the two words are quite similar. Here's the first definition of correspondence on m-w:

1 a : the agreement of things with one another b : a particular similarity c : a relation between sets in which each member of one set is associated with one or more members of the other

Re:Mod parent insightful

[Eivind Eklund]

Accumulated fixes may or may not result in baroque code; that depends on the culture of the project, and the skill level of the maintainers. Both high skill levels and a good culture are necessary to avoid the creation of baroque code while doing those fixes.

Eivind.

Re:Mod parent insightful

[Eivind Eklund]

My experience is that Ruby's programming model avoid most of the security issues fairly simply. I've not seen any example of the kind of problem you claim; can you provide any references to exploits?

Eivind.

Re:RoR lacks maturity

[bloodredsun]

I agree that every framework or application has had a critical security update or two at some time. The point of my original post was that the established ones have had theirs at some time in the past. A good example would be the Tomcat ones you mentioned, version 3.1 was in 2001.

I pretty much knew that I was going to get flamed for the comment (your comment a fairly honourable exception) but speaking as a senior developer in a bank, I wouldn't touch RoR with a barge pole at the moment. Not because it isn'

Re:RoR lacks maturity

[cortana]

Because well-known, "enterprise-ready" vendors never "ignore critical vulnerabilities for years.

Re:RoR lacks maturity

[gutnor]

Maturity doesn't have anything to do with the vendor. JUnit, Apache, Tomcat, Windows 2000(yek), Linux are mature. Mature means that the product ( or product line ) is well known, has a well known range of applicability, a known range of pro/con/limitations/constraints/... Basically it means that the technology is known. Everything mature has to be bleeding edge at one point. There is no way to create a mature product from day one, even if you are a big and powerfull corportation throwing billion in it. And Rails is no exception.

However I fail to see the relationship between Security issues and Maturity. Internet Explorer is mature and you still get your weekly critical security flaw.

Re:RoR lacks maturity

[CastrTroy]

It really depends on how you define mature. Take people for example. Just because you reach a certain age, it doesn't mean that you are mature. I've met some pretty immature 30 year olds in my day (and i'm only 26). On the same note, I've also met a lot of teenagers who are more mature than most of the people 10 years older than them. If the software in question has made significant improvements in its security and reliability, then it can be called mature. Microsoft has made very little attempt to fix the security issues within internet explorer, by refusing to removie Active X(pliot), and by continually refusing to adhere to web standards such as css, and refusing to implement new features such as the alpha channel in PNGs. They have only started to make real changes (although in my opinion still half-assed), in IE7 because Firefox started taking away a noticeable number of users, and offering a better overall experience. Take an actual mature product on the other side, like Apache, who got their names because they had to patch so many bugs in the beginning, and actually did it. The maturity of the product doesn't have anything to do with how old the product is, but only how willing the developers are to fix the application when bugs are found, and implement new features when they are needed by the public. Granted age is necessary to find all the problems with the application, but you don't do anything about the problems, you fail to become mature.

Re:RoR lacks maturity

[gutnor]

Agree with you. Bad example, Internet Explorer has lost its status of mature in exchange for "outdated but established" ( ok I'm nice, but I can't find anything beter to say without being rude )

Re:RoR lacks maturity

[esconsult1]

Just like PHP, right?

Re:RoR lacks maturity

[morgajel]

yes, because we know no [gentoo.org] one [gentoo.org] else [gentoo.org] gets security holes. Writing something off because the authors jump up and down and say "holy shit, patch this" is a bit short-sighted. at least people are being informed and shit is being done about it.

RoR is shipping with OSX Leopard Server...

[TheNoxx]

I was wondering if more security holes like this will show up and given an easier window for n'er-do-wells into OSX security.

Just a thought.

Re:RoR lacks maturity

[mpcooke3]

Yeah, I run windows it's been around for ages so it's nice and secure.

Re:RoR lacks maturity

[telbij]

This is an example of why many major industries stay away from the "bleeding-edge" of tech products.

Maybe, but it's by no means a good reason. I could just set aside a miniscule portion the hundreds of hours I saved not writing Java and simply update Rails...

Re:RoR lacks maturity

[Amouth]

#include <stdio.h>

int main(int argc, char *argv[]) {
    printf("Not True\n");
    return 0;
}

Re:RoR lacks maturity

[PReDiToR]

I hope you got the latest version of gcc to compile that, we just had a crit.vuln(trojan) that puts an extra 50 bytes on the .exe file for all programs that are less than 10 lines ...

Re:RoR lacks maturity

[Amouth]

true.. things can tie in to the compiler.. i was just noting the blatent wrong that all code has security issues

Re:RoR lacks maturity

[bloodredsun]

Yes and No.

It's less "me too" and more "tried and tested", hence the use of programming languages such as Cobol and RPG when people may have expected them to be replaced. Not having experts isn't an issue either, if they need them, they just hire them, there's normally enough money at stake to make this a non-issue.

Long-term views is a definite yes. You have to ask questions like: "will this product still be supported in the next 5-10 years" ,"will it be actively developed and patched", "will this produc

get a grip peeps

[Anonymous Coward]

I find it incredible that people are going 'Oh look - see!! we told you rails wasn't ready for 'enterprise' because look! it's got security flaws"

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

I reckon the rails guys are handling this pretty well, makes sense not to just release the details straight off the bat, give people a couple of days to plug the holes then they can discuss the flaw

fuckin' hell it's not like MS hasn't had to do countless 'immediate' patches

people are using this whole thing as an excuse to unfairly judge rails - hell if you don't like it then at least argue against it based on genuine issues with it - which I'm sure there must be, since there are pros and cons for any software

Re:get a grip peeps

[Anonymous Coward]

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

The difference is that other vendors supply patches for versions in common use instead of simply telling you to upgrade to a newer major version and refusing to tell you what the problem is so you can fix it yourself in the older version. And other vendors usually have at least some clue about which versions are affected instead of saying one thing, then changing their story, and then admitting that they don't have a fucking clue about

Re:get a grip peeps

[nogginthenog]

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

Yeah, but not every fuckin bit of software is directly exposed to the internet.

Re:get a grip peeps

[bloodredsun]

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

Shrieking hyperbole aside - no they're not, the best ones (and the ones you should be using unless you've bought all the marketing BS) aren't. Assuming for one minute that you aren't a hobbyist or a schoolchild but have a coding job which depends on your reputation (difficult as you've taken the brave stance of beiing an AC) you would know that this titbit of news has left a lot of people high and dry. They have apps on production servers not knowing whether this would compromise just their RoR app or the entire server.

As to handling it well, no I don't think so. A simple diff will show what the issue is and I'm betting that plenty of people have already done that (especially judging by some of the recent posts), so not telling people what it is just adds to the uncertainty.

You're right about MS. That is why people don't use MS as an internet platform if they can help it. Look it *nix versus MS Server and Apache versus IIS. MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.

There are plenty of pros and cons for Rails and personally I like it more than I dislike it, but the reality is it isn't mature and it isn't enterprise ready.

Re:get a grip peeps

[Daltorak]

MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.

You say that, but have you looked at the stats? IIS 6.0 is has had -far- fewer vulnerabilities in its lifetime than Apache 2.0.

Apache 2.0: http://secunia.com/product/73/ [secunia.com] ... 32 advisories since January 2003, including multiple remote access vulnerabilities. most recently, a system access vulnerability was found with mod_rewrite. 2 vulns

Re:get a grip peeps

[jrockway]

mod_rewrite needs to be enabled also, and you have to be using a very special RewriteRule.

But yeah, both Apache and IIS are bad in a security sense. No hole is acceptable.

Question

[andy1307]

Doesn't the patch itself give away the location of the flaw? Comparing the size of files in the two installations should tell you which parts have been patched. I'm assuming a serious flaw means an explotable buffer overflow.

Re:Question

[wkleunen]

an exploitable buffer overflow? in ruby code? Isn't ruby supposed to be a safe language.

Re:Question

[ubernostrum]

I'm assuming a serious flaw means an explotable buffer overflow.

Ruby is an interpreted, memory-managed language. Any buffer overflow would have to be in the Ruby language interpreter, not in software that's written in Ruby.

Related to the Wiki hack

[balls199]

I wonder if this is related to their hacked wiki page?

Ruby on Rails Wiki [rubyonrails.org]

Anyone have information on this?

Security temporarily unavailable

[telchine]

http://wiki.rubyonrails.org/rails/pages/Security [rubyonrails.org]

Service Temporarily Unavailable

Seems an appropriate response!

Patch

[joebutton]

Patch available here [djangoproject.com].

Rails

[quantum bit]

Maybe they should switch to a safe language that prevents buffer overflows and protects programmers from themselves.

Oops.

Details of the exploit can be found here.

[Anonymous Coward]

http://blog.evanweaver.com/articles/2006/08/10/exp lanation-of-the-rails-security-vulnerability-in-1- 1-4-others [evanweaver.com]

Patch details

[Wulfstan]

$LOAD_PATH.select do |base|
                              base = File.expand_path(base)
                              extended_root = File.expand_path(RAILS_ROOT)
- base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin}
+ base.match(/\A#{Regexp.escape(extended_root)}\/*#{ file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}
                          end

Not seen the context (so this is guesswork), but looks suspciously to me like you could supply a path like;

RAILS_ROOT/../../../../etc/passwd

Or something substantially similar to it...

Re:Patch details

[cdcarter]

Close, but all the bug did was execute ruby code in the RAILS_ROOT, which can be really really dangerous, but nothing like that.

Is that what the Ruby on Rails code is like?

[Anonymous Coward]

I will admit right now that I have not used Ruby on Rails. And if that code is any indication of how Ruby on Rails is coded, I want no part of it.

Put simply, that is some truly awful code. I'm not sure if it could get any more unclear. When it comes to writing secure, solid software products, you need absolute clarity. The more obscure your code is, the easier it is to miss corner cases or invalid inputs. It's missing those cases that often leads to severe security exploits.

Re:Is that what the Ruby on Rails code is like?

[I Like Pudding]

Hell, I love Rails and that diff makes me want to vomit. That's worse looking than 95% the massive, decade-old Perl codebase I maintain.

Re:Patch details

[nuzak]

Dear. Freaking. Lord. A directory traversal attack? Half the PHP kiddies out there know about avoiding those (and probably only half). Granted, it passes through a somewhat obscure option, but it does come from the environment. Doesn't ruby have a sophisticated taint mechism? Why doesn't rails avail itself of it?

Re:Patch details

[ubernostrum]

Nope. $LOAD_PATH contains the directories Ruby searches for libraries (@INC in perl, I don't know the equivalent in Python).

sys.path in Python, which is initialized from the environment variable PYTHONPATH.

It's doubtful Rails would have a '../../etc/passwd' type bug since very few of the urls have any direct correspondence to the filesystem. (e.g. mail/send/1 executes the send method of an instance of the MailController class).

But... the default setup for Rails (or at least, last time I played with it) is to map /controller/action/-style URLs for you, so if you managed to upload a Ruby file which just happens to contain your malicious subclass of ActionController, well, you'd pretty much own the site.

This is why I don't like automatic URL mapping; only the URLs I've explicitly laid out should ever respond, and only the code I've explicitly pointed them to should ever be executed. I know Rails has other ways of mapping your URLs, but I don't know off the top of my head if you can disable the default controller-name/action-name mapping; even scarier is that a number of other frameworks have emulated that.

(Disclaimer: I work for the company which developed Django [djangoproject.com], and am an active user of and contributor to it)

Re:Patch details

[BlurredWeasel]

To let you know it is trivial to turn off the default mappings, they sit in routes.rb. It explicitly states in that file that it is a default mapping. Just get rid of the appropriate line, and you're good. You will have to add mappings yourself though to re-enable all your controllers.

The splotlight can be merciless

[Erectile Dysfunction]

In some ways the current growth of Ruby outside of Japan parallels the growth process that Python went through during the later part of the '90s: making the transformation from obscurity to garnering the widespread attention of various nebulous Internet luminaries who step forward to profess its superiority to mainstream business languages in terms of flexibility and rapid deployment. Like early Python growth much of the exultation stems from the perceptions of a web framework, with even Apple Computer comi

for the especially clueless...

[chocolatetrumpet]

gem install rails --include-dependencies

Re:Is it related to previous fixes...?

[leenks]

Good news: Rails 1.0 and prior is not affected by the latest security breach we've experienced. Neither is Rails 1.1.3. We're currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are.

"RTFA suddenly seemed like a good idea."

Mod parent informative

[Eivind Eklund]

It contains VERY important details that should have been in the summary.

Re:odd...

[scsscs]

They are telling everyone to upgrade, that's how they know.

Re:odd...

[Evil Al]

But this strategy works so weel for Microsoft.... how could it be wrong :-)

Alex

Re:odd...

[FirienFirien]

how can people know that they need to upgrade their server?

Um... by saying, like they did, "patch fast"? You seem to have completely missed the difference between telling people there's a hole (allows people to fix it but makes people have to find the hole to exploit it) and detailing what the hole is and why it's a problem (a free lunch for the malicious). The users are aware that a patch needs to be made; the would-be-attackers aren't aware of the compromising details.

The kink, as noted elsewhere in this thread, is that it's a flag that tells those would-be-attackers that there IS a large hole at the moment, but the tradeoff - users can in general update faster than it takes to find the hole and write an exploit for it - is ok here.

Re:Where's the outrage??

[bytesex]

I read that as:

Rails has a security flaw and it's not being derailed.

Well, it is being derailed, right ?

Re:I'm really trying to like Rails, but...

[Anonymous Coward]

it's You

Re:I'm really trying to like Rails, but...

[Decaff]

I prefer developing an OO programming model abstraction and having that mapped to the database, rather than having the database introspected and then developing against the results.

This is the way most object persistence has been done for years. Yet Rails steps backwards about a decade and gets all the interest!

Re:Major Hole Found In CmdrTaco

[Tharkban]

wow, an unmodded score of -1. Now that is impressive.