Rails 1.1.5 Released With Crucial Security Fixes
Rails 1.1.5 has been released today, but there are no new features. It's important, however, as it contains a number of bug fixes and a 'mandatory security patch' which David Heinemeier Hansson, creator of Rails, claims is significant:
This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn’t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.
Even though details of the security flaws are not officially being given, it wouldn't take a would-be hacker long to run a diff between 1.1.4 and 1.1.5, so if you're running Rails 0.13 through 1.1.4, upgrade as soon as possible. For more information see David's post at the official Rails blog.
Don't forget to change your config/environment.rb...
What does it take for a cracker to find the critical change ?
"Even though details of the security flaws are not officially being given, it wouldn't take a would-be hacker long to run a diff between 1.1.4 and 1.1.5, so if you're running Rails 0.13 through 1.1.4, upgrade as soon as possible."
you mean, cracker, don't you ?
Re: What does it take for a cracker to find the critical change ?
It appears the way the notice was handled left something to be desired
A fairly comprehensive explanation
It's worth noting that a properly secured and configured server should not be affected by this problem. Neither are the hundreds, if not thousands, of "enterprisey" IT apps that live behind a corporate firewall.
Notwithstanding, this is a major news event and I am trying to compile a list of comments from people running major Rails deployments to see how they were affected, if at all.
Shane Hastie on Distributed Agile Teams, Product Ownership and the Agile Manifesto Translation Program
Shane Hastie Apr 17, 2015