Major Security Hole Found In Rails

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

How few?

[thePowerOfGrayskull]

It's kind of interesting to know how many (or few) will be affected by this. I know several people who 'play' with Ruby as a fun new toy, but I know of few if any large-scale, high-traffic sites that use it.

Re:meanwhile...

[CastrTroy]

Yeah, when you have the source code, it wouldn't be hard to compare 1 release to the next to find the holes that are there. Possibly even with some comments like, "Here's the big gaping hole we fixed". That's why it's important to update as fast as possible. Which is all good and fine in a personal environment, but when you're talking enterprise, there's a lot of work that goes into making sure that the new version will work exactly as expected. There's a reason that not everyone is running Apache2 yet, it's more work to upgrade than it is to keep the status quo. I wouldn't put an enterprise app on rails just yet. It's still too young. There's much more mature platforms out there that are just as good if not better. I'd wait at least 2 more years before starting development on rails.