Major Security Hole Found In Rails

← Back to Stories (view on slashdot.org)

Major Security Hole Found In Rails

Posted by ryuzaki0 on Wednesday August 9, 2006 @11:00PM from the protect-yourself dept.

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

3 of 177 comments (clear)

Min score:

Reason:

Sort:

Re:meanwhile... by QuantumG · 2006-08-10 00:49 · Score: 0, Offtopic

As if they didn't already know. I remember back in '98 when the whitehat community just stopped looking for security flaws in the Linux kernel because it was just too damn easy to find em. Then we had the short lived anti-sec movement which actively encouraged blackhats to look for exploits and stockpile them. Ahh, thems were the days.

--
How we know is more important than what we know.
I'm really trying to like Rails, but... by jocknerd · 2006-08-10 01:03 · Score: 0, Offtopic

the more I mess with it, the more I realize I like Django better. Django just seems much more mature and has more features included automatically, like administration. Maybe its me, but my mind seems to understand Python more than Ruby.
1. Re:I'm really trying to like Rails, but... by dtietze · 2006-08-10 03:13 · Score: 1, Offtopic
  
  I agree. I recently built my first major Django site ( http://www.trogger.de/ -- shameless plug!) and used that project to learn Python and Django. All along I was really enjoying myself (as opposed to all the previous J2EE development that I've done) and felt incredibly productive.
  This is, of course, in part due to the Python language, with its dynamic features and the way it just "feels" right. But a large part was also the way the Django guys just 'get it'. I like their ORM. The database structures they generate make sense to me. I prefer developing an OO programming model abstraction and having that mapped to the database, rather than having the database introspected and then developing against the results. Django's way just feels more natural to me.
  The recent release of Django 0.95 was a major effort and an important milestone. Judging from the roadmap, Django 1.0 will be excellent.