Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Security Hole Found In Rails

Posted by ryuzaki0 on from the protect-yourself dept.

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

8 of 177 comments (clear)

  1. do your part and call MS out by distantbody · · Score: -1, Offtopic

    Hey, I found a fairly slick blog claiming to be completely independantly produced by an 18yr old. However, it's clearly a Microsoft site complete with Apple-bashing, a NineMSN commercial, a story title "MSNBC deceived the public: Vista's speech recognition demo" and MS-critic bashing, with a few lame attempts to throw people of the the fairly rank scent of the Microsoft Corporation.

    Microsofts Faux Blog

    I thought you could do your part and call MS out on this one by leaving a comment to the effect of "We know this is a Microsoft astroturf advertisment that intentionally aims to mislead readers to beleive messages that benefit the corporations agenda."

    ...Or you could just flame be and tell me how redundant this is.

    1. Re:do your part and call MS out by Anonymous Coward · · Score: -1, Offtopic

      I've read before that MS sponsor students to be their technical evangelists in their CS department or something. Maybe he's just one of them.

      Or maybe he just really likes Microsoft?

    2. Re:do your part and call MS out by Anonymous Coward · · Score: -1, Offtopic

      Maybe it was done by the same people who do the Republican party's astroturfing.

    3. Re:do your part and call MS out by Anonymous Coward · · Score: -1, Offtopic

      who the fuck would 'like microsoft', or any other fucking company? except maybe stockholders when things are going well.

      'liking' companies is just silly.

  2. Re:meanwhile... by QuantumG · · Score: 0, Offtopic

    As if they didn't already know. I remember back in '98 when the whitehat community just stopped looking for security flaws in the Linux kernel because it was just too damn easy to find em. Then we had the short lived anti-sec movement which actively encouraged blackhats to look for exploits and stockpile them. Ahh, thems were the days.

    --
    How we know is more important than what we know.
  3. I'm really trying to like Rails, but... by jocknerd · · Score: 0, Offtopic

    the more I mess with it, the more I realize I like Django better. Django just seems much more mature and has more features included automatically, like administration. Maybe its me, but my mind seems to understand Python more than Ruby.

    1. Re:I'm really trying to like Rails, but... by dtietze · · Score: 1, Offtopic

      I agree. I recently built my first major Django site ( http://www.trogger.de/ -- shameless plug!) and used that project to learn Python and Django. All along I was really enjoying myself (as opposed to all the previous J2EE development that I've done) and felt incredibly productive.
      This is, of course, in part due to the Python language, with its dynamic features and the way it just "feels" right. But a large part was also the way the Django guys just 'get it'. I like their ORM. The database structures they generate make sense to me. I prefer developing an OO programming model abstraction and having that mapped to the database, rather than having the database introspected and then developing against the results. Django's way just feels more natural to me.
      The recent release of Django 0.95 was a major effort and an important milestone. Judging from the roadmap, Django 1.0 will be excellent.

  4. Re:meanwhile... by Anonymous Coward · · Score: -1, Offtopic

    People keep making this claim that Rails is immature and it just doesn't hold any water. Sure, it's not as _old_ as some other frameworks, but that doesn't mean it's any less capable or that it's any less secure. I administer and develop several large production ('enterprise') web applications running on Rails. They represent the finest work I've ever done as a web developer and they're as robust as anything else out there currently. Moreso perhaps, since Rails makes following good practices very easy and ruby drastically improves code maintainability.

    I don't think every application needs to be converted to Rails, of course, but it is production ready. It has been for nearly a year now. There's really nothing else (beyond perhaps Django) I'd rather use.