Earlier today, David Heinemeier Hansson posted on the Ruby on Rails weblog regarding an urgent Ruby on Rails security patch (Rails version 1.1.5 ). No detailed information regarding the nature of the vulnerability was mentioned in the post, but it does sound very serious.
Originally all Rails versions starting at 0.13 were supposed to be affected, which would have been extremely bad news for the many individuals and businesses out there who are running a production site on Rails 1.0. However, DHH later followed up with another post stating that Rails 1.0 and 1.1.3 are not affected. So for now it seems like Rails 1.0 users are off the hook, although it might be a good idea to consider upgrading to Rails 1.1.5 anyway…
Unfortunately, details about the issue still have not been posted, and many members of the Rails community are very unhappy with this. I understand that DHH is attempting to protect Rails users by giving them a chance to upgrade their installations before the Rails team announces further details on the issue, but “security through obscurity” has generally proven not to work. Adventurous (or malicious?) minds should be able to figure out the vulnerability by downloading the freely available source code and performing a diff on the patch, while the community at large is left in the dark on the nature of the issue. This is obviously a vital data point when presenting a case to management to urgently upgrade the Rails version for your production applications, and without this there is bound to be some serious hesitation on performing the upgrade, which utimately may lead to larger problems than publicly announcing the vulnerability would.
Anyway, I’m curious to find out what the problem was, and I’ll follow up with more updates as soon as further details are announced.
Update: The full disclosure on the vulnerability has finally been posted. There’s also another new version: 1.1.6. The description of the issue does sound very serious indeed, so if you’re running one of the affected versions you should upgrade immediately.