[ANN] DHH's Post on Ruby Talk -- Rails 1.1.5: Mandatory secu

We’re still hard at work on Rails 1.2, which features all the new
dandy REST stuff and more, but a serious security concern has come to
our attention that needed to be addressed sooner than the release of
1.2 would allow. So here’s Rails 1.1.5!

This is a MANDATORY upgrade for anyone not running on a very recent
edge (which isn’t affected by this). If you have a public Rails site,
you MUST upgrade to Rails 1.1.5. The security issue is severe and you
do not want to be caught unpatched.

The issue is in fact of such a criticality that we’re not going to dig
into the specifics. No need to arm would-be assailants.

So upgrade today, not tomorrow. We’ve made sure that Rails 1.1.5 is
fully drop-in compatible with 1.1.4. It only includes a handful of bug
fixes and no new features.

For the third time: This is not like “sure, I should be flooshing my
teeth”. This is “yes, I will wear my helmet as I try to go 100mph on a
motorcycle through downtown in rush hour”. It’s not a suggestion, it’s
a prescription. So get to it!

As always, the trick is to do “gem install rails” and then either
changing config/environment.rb, if you’re bound to gems, or do “rake
rails:freeze:gems” if you’re freezing gems in vendor.

P.S.: If you run a major Rails site and for some reason are completely
unable to upgrade to 1.1.5, get in touch with the core team and we’ll
try to work with you on a solution.

David Heinemeier H.
http://www.loudthinking.com – Broadcasting Brain
http://www.basecamphq.com – Online project management
http://www.backpackit.com – Personal information manager
http://www.rubyonrails.com – Web-application framework

Dale M. wrote:

We’re still hard at work on Rails 1.2, which features all the new
dandy REST stuff and more, but a serious security concern has come to
our attention that needed to be addressed sooner than the release of
1.2 would allow. So here’s Rails 1.1.5!

This is a MANDATORY upgrade for anyone not running on a very recent
edge (which isn’t affected by this). If you have a public Rails site,
you MUST upgrade to Rails 1.1.5. The security issue is severe and you
do not want to be caught unpatched.

The issue is in fact of such a criticality that we’re not going to dig
into the specifics. No need to arm would-be assailants.

So upgrade today, not tomorrow. We’ve made sure that Rails 1.1.5 is
fully drop-in compatible with 1.1.4. It only includes a handful of bug
fixes and no new features.

For the third time: This is not like “sure, I should be flooshing my
teeth”. This is “yes, I will wear my helmet as I try to go 100mph on a
motorcycle through downtown in rush hour”. It’s not a suggestion, it’s
a prescription. So get to it!

As always, the trick is to do “gem install rails” and then either
changing config/environment.rb, if you’re bound to gems, or do “rake
rails:freeze:gems” if you’re freezing gems in vendor.

P.S.: If you run a major Rails site and for some reason are completely
unable to upgrade to 1.1.5, get in touch with the core team and we’ll
try to work with you on a solution.

David Heinemeier H.
http://www.loudthinking.com – Broadcasting Brain
http://www.basecamphq.com – Online project management
http://www.backpackit.com – Personal information manager
http://www.rubyonrails.com – Web-application framework

I suppose this is like shooting the messenger but isn’t this like
telling a kid not to touch a hot stove? Serioulsy!

“The issue is in fact of such a criticality that we’re not going to dig
into the specifics. No need to arm would-be assailants.”

This WARRANTS full explanation! If there is need enough to alarm the
people that use the product then there is certainly a need to provide
disclosure of some sort of what the problem is.

This “attitude” to some degree diminishes the value of Rails. It
suddenly took a very cool framework and set it back because of the
unprofessional way in which a problem was handled. I firmly believe
that you can judge a company (or person or product) not by the way they
handle things when things are going well, but by the way they handle
things when things go wrong. In business, and life, things go wrong.
Handle it properly. This is not the proper way to handle an issue as
serious as it sounds.

Provide the details. COMMUNICATE to people so they know WHAT the
problem is and what their exposure is. NEVER put out a generic
statement like this - it is almost as bad as hiding the problem
entirely.

If I were hosting a site somewhere or had a true “web app” I would be
scared as hell right now. DHH, Rails contributors and others should be
providing much more information than this. Right now, people have a
“need to know” as well as a “right to know” without having to sift
through diffs to determine what happened.

I suspect much bad publicity is going to come from this. Tackle the
bull head-on - you can’t hide what people will figure out anyway.

Michael

Provide the details. COMMUNICATE to people so they know WHAT the
problem is and what their exposure is. NEVER put out a generic
statement like this - it is almost as bad as hiding the problem
entirely.

While I agree with your sentiment almost entirely, keep in mind that
Rails is open source. The subversion repository is publicly available,
so, finding the diffs between two releases should be trivial.

This has the consequence of making what you say seem a bit alarmist, and
making what DHH said seem a bit ridiculous. “No need to arm would be
assailants”? Man, that train has already left the station…

Now, about the fact that dev.rubyonrails.org is down right
now…curiouser and curiouser :slight_smile:

Regards,

Danny B.

Daniel B. wrote:

Provide the details. COMMUNICATE to people so they know WHAT the
problem is and what their exposure is. NEVER put out a generic
statement like this - it is almost as bad as hiding the problem
entirely.

While I agree with your sentiment almost entirely, keep in mind that
Rails is open source. The subversion repository is publicly available,
so, finding the diffs between two releases should be trivial.

This has the consequence of making what you say seem a bit alarmist, and
making what DHH said seem a bit ridiculous. “No need to arm would be
assailants”? Man, that train has already left the station…

Now, about the fact that dev.rubyonrails.org is down right
now…curiouser and curiouser :slight_smile:

Regards,

Danny B.

Hi Danny,

Not intentionally alarmist - what I mean is just give us a statement as
to what the problem is. Yes, Rails is open source, but that doesn’t
mean I want to spend time digging through versions of source to
determine what changed to find the problem. That is time better spent
somewhere else and an effort that should not have to be duplicated by
all the people using rails. The fact that it is open should be all the
more reason to just say “hey, here is the problem, here is the
patch…now apply” instead of “there is a problem, here is the patch,
apply.” Plus, once people know what the problem was then they can
assess their own data to determine if it was affected or not.

So, what was the problem anyway? Since it is so easy to find via
subversion then I’m curious to know if anyone would care to share what
it was!

Just my input!

Michael

On Wed, Aug 09, 2006 at 07:24:26PM -0000, Dale M. wrote:

This is a MANDATORY upgrade for anyone not running on a very recent
edge (which isn’t affected by this). If you have a public Rails site,
you MUST upgrade to Rails 1.1.5. The security issue is severe and you
do not want to be caught unpatched.

Newbie question; how do I tell what version of Rails I’m running on?
If Rails has been frozen into a tree, how do I tell what version that
tree is using?

The issue is in fact of such a criticality that we’re not going to dig
into the specifics. No need to arm would-be assailants.

Full disclosure? Seriously; it’s not much work for someone to diff 1.1.4
with 1.1.5 and work out what the fix was (well, someone who knows Ruby,
that is).

How can I determine wether my exposed web services are vulnerable or
not?

-jim

Michael,

This post does not help in any way. I expect within the next week a
full explanation of what was wrong, why it was wrong and how it was
fixed will be published. This is pretty close to the way it SHOULD
work. Give as little amo as possible to the script kiddies out there
while the professionals upgrade their systems. After the professionals
have had sufficient time to upgrade, then tell the world what the
problem was. The code is open, so if you want to explore what was
changed between versions feel free. Again, they are trying to make it
a little more difficult for those who seek to do harm.

So, hop in the car, drive to Starbucks, indulge in some overpriced
coffee and chill out. At least a fix was published immediately and we
didn’t have to wait til the first Tuesday of next month for it to be
released.

Carl

Rather well said Daniel

On 8/10/06, Daniel B. [email protected] wrote:

This has the consequence of making what you say seem a bit alarmist, and

Posted via http://www.ruby-forum.com/.


Rails mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails

Just because you 're not paranoid doesn’t
mean they aren’t out to get you.

On Thursday, August 10, 2006, at 4:29 AM, Michael M. wrote:

a prescription. So get to it!
http://www.loudthinking.com – Broadcasting Brain
This WARRANTS full explanation! If there is need enough to alarm the
serious as it sounds.
through diffs to determine what happened.
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails

A similar discussion cropped up on the Ruby list where this was first
announced. It seems that the consensus on this was to: “update first,
ask questions later”.

There is a need to allow people time to roll out the security fixes
before discussing the details of what they are.

It is my understanding that an explanation will be forthcoming, but now
is not the time for it.

So… don’t panic. Just upgrade to 1.1.5 ASAP if you have a rails app
out there.

_Kevin
www.sciwerks.com

Hi,

While I agree in the open source spirit that full information should be
disclosed/made available…for the time being just to say there is a
critical patch and apply it is THE safe option. IMHO.

Consider the following:

  1. How many patches from IIS/.NET are “pushed” into your system without
    even
    any information on what patch it is?
  2. Also RoR is relatively new and many people are in the “let’s try or
    ain’t
    it cool?” mode, so if they have hosted some of the application, they
    don’t
    want to be caught unawares.

Also with the RoR architecture of “freezing” your Rails version…you
can
easily upgrade yourself even if your shared hosting doesn’t have the
latest
patch.

BUT, in the next weeks I would like to “really” know what was the
security
issue…not yet!

Just my 2 cents!

_Hari

View this message in context:
http://www.nabble.com/-ANN--DHH's-Post-on-Ruby-Talk----Rails-1.1.5%3A-Mandatory-security-patch-(and-other-tidbits)-tf2080917.html#a5740415
Sent from the RubyOnRails Users forum at Nabble.com.

how do I tell what version of Rails I’m running on?

prompt > rails -v

Also you can boot your app and check out the default rails page from the
localhost. It will give you the gem version that the current app is
running.

On 10/08/06, Jim C. [email protected] wrote:

Newbie question; how do I tell what version of Rails I’m running on?
If Rails has been frozen into a tree, how do I tell what version that
tree is using?

There’s a changelog in

vendor/rails/railties/CHANGELOG

(there also seems to be a variable Rails::VERSION::STRING , but
that doesn’t seem to be easily visible from ./script/console

Hi,

the information what the security issue is already in the wild. A little
research on the net and especially in chat rooms gives you the
information
in no time. On the mailing list of the ror user group in germany there
already is a link to a site explaining what the issue seems to be. I
don’t
repeat it here since I’m respecting the decision of the core developers
though I think there decision is plain wrong.

IMHO making it a mystery is appealing the crowd to find the leak,
regardless
if it’s the good or the bad part of the crowd. Therefore I consider
mystifying the issue harmful.

Cheers,
Jan

This is a MANDATORY upgrade

I’m wondering if the hosting companies supporting Rails (a2hosting,
which
I’m using, for example) have been contacted by the core team, or if we
each
need to contact the one(s) we’re individually using.

What are the rest of you who are using shared hosting doing?

Thanks,
Bill

On 10/08/06, Michael M. [email protected] wrote:

So, what was the problem anyway? Since it is so easy to find via
subversion then I’m curious to know if anyone would care to share what
it was!

If it’s stated here, then it might as well be on the blog.

Bear in mind a lot of us are at the mercy of hosting providers to
upgrade rails on the shared boxes (which requires a fair bit of
co-ordination).

If you don’t want to dig through the source, then wait for a week and
you’ll be told exactly what went boom.

Hi Surenda,

it’s fully disclosed now, check the rails blog. IMHO it should have been
from the beginning.

Cheers,
Jan

I know Dreamhost has already upgraded to the newest (1.1.6)

“Jan P.” [email protected] writes:

IMHO making it a mystery is appealing the crowd to find the leak, regardless
if it’s the good or the bad part of the crowd. Therefore I consider
mystifying the issue harmful.

There is a very good reason for keeping it hidden till people upgrade.
You
don’t want every Tom, Dick and Harry to know about it and try it on the
various Rails websites. It is not a mystery for people who understand
Rails
code and can search the web.


Surendra S.
http://ssinghi.kreeti.com, http://www.kreeti.com
Read my blog at: http://cuttingtheredtape.blogspot.com/
,----
| “All animals are equal, but some animals are more equal than others.”
| – Orwell, Animal Farm, 1945
`----

rails -v to display the version.

think you should know that dhh, as he wrote yesterday, wrote about what
the
bug is in the ann of 1.1.6, so stop the hell bashing. suxx

2006/8/10, Surendra S. [email protected]:

various Rails websites. It is not a mystery for people who understand
`----


Rails mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails


Michael S. [email protected]

www.stellar-legends.de - Weltraum-Browsergame im Alpha-Stadium

This is totally correct. The only issue is whether a patch for the
1.0 branch gets released soon.