/var/log/orava

Petri Wessman's weblog

Rails 1.1.6

The 1.1.5 patch to Rails didn’t quite fix all the holes, so version 1.1.6 is now out, along with details on the hole. It’s good to see the Rails team take this seriously and move fast – and I really don’t understand the whiners about “security through obscurity”. Yes, in the long run that’s a bad policy, but when you’ve just discovered a hole in a popular framework, the thing to do is precisely what the Rails team did: announce the fact that there’s a potential expoit and offer a new version of the software, but withhold details for a day or two until most people have managed to update their systems. To do otherwise would be to give the script kiddies of the world a free ride. Yes, you can possibly figure out the hole by comparing diffs… but most of the script kids out there are just that: kids who will use a ready-made “hack”, but won’t bother to figure it out for themselves.

This site is now upgraded to 1.1.6, naturally. Typo is still version 4.0.0 – there is now a version 4.0.2 out which fixes some bugs and includes Rails 1.1.6, but the gem updater for that one gave me an error. I’ll try it again after Ropecon, no time to hack now.

Published on by Orava, tags , , ,

  • Gravatar

    by Orava

    Mmm, maybe. I still think their “wait one or two days” stance was correct. But obviously this is controversial :)


  • Gravatar

    by Killeri

    What I hated about the Rails announcement was that it didn’t include any information on the vulnerability. As it turned out to be “only” a DDoS/data loss vulnerability, I had no real reason to immediately upgrade my Internet-visible test sites, which I should have done had this been a root or even a normal user level shell access exploit.

    There is no point in hiding the details of an exploit when you have a security upgrade for the users. If a user cannot be bothered to follow security announcements, the script kiddies will get a script to run before the user is bothered to upgrade.


comment Rails 1.1.6

Trackbacks are disabled

Powered by Publify – Thème Frédéric de Villamil | Photo Glenn