Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Security Hole Found In Rails

Posted by ryuzaki0 on from the protect-yourself dept.

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

8 of 177 comments (clear)

  1. meanwhile... by advocate_one · · Score: 5, Insightful

    the hackers are busy diffing the new release against the previous release to determine exactly what the hole was...

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  2. RoR lacks maturity by bloodredsun · · Score: 5, Insightful

    This is an example of why many major industries stay away from the "bleeding-edge" of tech products.

    Only when something has been in the market long enough for people to find the holes, either by internal testing or by discovery of in-the-wild exploits can it be considered for the "higher" end of the market. It's unfortunate that it has happened to Rails, which is a great framework but it's another reason to staty with the more established web frameworks such as JSP/Struts.

    1. Re:RoR lacks maturity by flipper65 · · Score: 5, Insightful

      One does not have anything to do with the other. Admittedly, DHH and crew could have handled the announcement better, but there is no major framework or application or OS for that matter that does not have security updates and vulnerabilities. I believe that Tomcat 3.2.1 and 3.1.1 were both security releases. This was the first event of this type for Rails, there will be others just as there have been for PHP, Struts, Django, etc. Everyone just needs to take a breath, patch and move forward.

    2. Re:RoR lacks maturity by gutnor · · Score: 5, Insightful

      Maturity doesn't have anything to do with the vendor. JUnit, Apache, Tomcat, Windows 2000(yek), Linux are mature. Mature means that the product ( or product line ) is well known, has a well known range of applicability, a known range of pro/con/limitations/constraints/... Basically it means that the technology is known. Everything mature has to be bleeding edge at one point. There is no way to create a mature product from day one, even if you are a big and powerfull corportation throwing billion in it. And Rails is no exception.

      However I fail to see the relationship between Security issues and Maturity. Internet Explorer is mature and you still get your weekly critical security flaw.

  3. Re:odd... by FirienFirien · · Score: 5, Insightful

    how can people know that they need to upgrade their server?

    Um... by saying, like they did, "patch fast"? You seem to have completely missed the difference between telling people there's a hole (allows people to fix it but makes people have to find the hole to exploit it) and detailing what the hole is and why it's a problem (a free lunch for the malicious). The users are aware that a patch needs to be made; the would-be-attackers aren't aware of the compromising details.

    The kink, as noted elsewhere in this thread, is that it's a flag that tells those would-be-attackers that there IS a large hole at the moment, but the tradeoff - users can in general update faster than it takes to find the hole and write an exploit for it - is ok here.

    --
    Browsing with +2 to insightful posts and a higher threshold makes the average post seen seem a lot more ingenious
  4. Mod parent insightful by Eivind+Eklund · · Score: 5, Insightful
    There is very little correspondence between software age and number of security holes. If anything, the correspondence is that newer software has less security issues. I think that's because it hasn't had the time to acquire baroque code.

    Eivind.

    --
    Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
  5. Funny / True by yem · · Score: 5, Insightful

    Penny Arcade is the worst advertisement for Rails there is.
    I'm surprised the 37 signals guys haven't done a freebie consulting job to get their shit straight.
    (or maybe they have and PA is a simply realistic example of RoR under load...)

    --
    No, I did not read the f***ing article!
  6. Re: Major Security Hole Found In Rails by GGardner · · Score: 5, Insightful

    Maybe this has something to do with the fact that the bus driver is usually the only one wearing a seatbelt?