BT

InfoQ Homepage News Rails 1.1.5 Released With Crucial Security Fixes

Rails 1.1.5 Released With Crucial Security Fixes

Bookmarks

Rails 1.1.5 has been released today, but there are no new features. It's important, however, as it contains a number of bug fixes and a 'mandatory security patch' which David Heinemeier Hansson, creator of Rails, claims is significant:

This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn’t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.

Even though details of the security flaws are not officially being given, it wouldn't take a would-be hacker long to run a diff between 1.1.4 and 1.1.5, so if you're running Rails 0.13 through 1.1.4, upgrade as soon as possible. For more information see David's post at the official Rails blog.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • Don't forget to change your config/environment.rb...

    by Tom Copeland /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    ...if you've set a RAILS_GEM_VERSION version there, that is. And doing a "gem cleanup" will keep things tidy too.

  • What does it take for a cracker to find the critical change ?

    by anjan bacchu /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    hi there,

    "Even though details of the security flaws are not officially being given, it wouldn't take a would-be hacker long to run a diff between 1.1.4 and 1.1.5, so if you're running Rails 0.13 through 1.1.4, upgrade as soon as possible."

    you mean, cracker, don't you ?

    BR,
    ~A

  • Re: What does it take for a cracker to find the critical change ?

    by Peter Cooper /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    If I were talking as a geek to geeks, yes. As a writer who tends to stick to the standard vernacular and whose audience contains many non-geek types, no, sadly. :)

  • It appears the way the notice was handled left something to be desired

    by Obie Fernandez /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Ben Griffiths does a good job of deconstructing the official reaction.

  • A fairly comprehensive explanation

    by Obie Fernandez /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Explanation of the security hole.

    It's worth noting that a properly secured and configured server should not be affected by this problem. Neither are the hundreds, if not thousands, of "enterprisey" IT apps that live behind a corporate firewall.

    Notwithstanding, this is a major news event and I am trying to compile a list of comments from people running major Rails deployments to see how they were affected, if at all.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.