Plip's Weblog

# re: Rails making a security boo boo

Actually they did disclose it:

http://weblog.rubyonrails.com/2006/8/10/rails-1-1-6-backports-and-full-disclosure

The fact that they are so concerned, and that they offer up the time of the core team to help you if you can't patch something is pretty impressive.

-James

# re: Rails making a security boo boo

This security issue is pretty bad.  It allows you to run arbitrary Ruby code on a server.

There were a lot of screw-ups in how this was handled, and a lot of things to learn from.  

First there was no disclosure of the actual issue which is really, really bad security practice when announcing a vulnerabilty.  

What made it worse was that DHH told everyone to upgrade to 1.1.5 immediately and did not release patches for older versions.  A lot of people had to pull all nighters upgrading their 1.0 apps which weren't compatible with 1.1.x.

It then got terrible yesterday when it was discovered that the patch everyone was told to upgrade to had security issues itself.  It turned out that the 1.0 build didn't have the origional security issue (despite first reports from the Rails core team that it did), but anyone who upgraded to 1.1.5 suddenly learned that they now were actually vulnerable to a remote code exexcution security hole, and had to repatch again.

Making matters worse, the Rails Trac bug system and email listserv started failing under load (http://weblog.rubyonrails.org/2006/8/10/new-dedicated-trac-server-on-the-way), and the GEMs patch system had many issues distributing the multiple patches.  As a result a lot of people are having to manually copy the patch around, and aren't getting any support on the listservs when things go wrong.

Not a good week at all...

# re: Rails making a security boo boo

Let's get back to berating Microsoft for their flaws - that way, we can quickly forget that such vulnerabilities are linked to man-made systems, and not specifically Microsoft.