[ANN] DHH's Post on Ruby Talk -- Rails 1.1.5: Mandatory secu

On 10/08/06, Daniel B. [email protected] wrote:

This has the consequence of making what you say seem a bit alarmist, and
making what DHH said seem a bit ridiculous. “No need to arm would be
assailants”? Man, that train has already left the station…

And in the interim would-be attackers are in no way hampered by the
silence on this issue. Just doing a diff between the different gem
versions is enough to hone in on the likely area of the code. So
would it really hurt to mention in the announcement that it’s a SQL
injection attack or a URL hack or a file upload issue or whatever so
people would at least know what to look for?

That way people could assess the risks / potential for harm for their
specific application and help them put together a upgrade plan,
instead of the “oh, shit, you need to upgrade NOW” warning. Running
around blinding running ‘gem install rails -y’ on all your servers
doesn’t really instill confidence in the process. I accept this is the
first (at least publicised) time rails has had any significant
security issue so this is a learning process for most people.

Now, about the fact that dev.rubyonrails.org is down right
now…curiouser and curiouser :slight_smile:

I think Trac has been down for quite a while recently but certainly
doesn’t help matters.

Paul.

On 8/9/06, Aaron K. [email protected] wrote:

rails -v to display the version.

Also script/about

And if you go to the default Welcome Aboard page and click “About your
application’s environment” it will pop open a list of versions.

Or http://localhost:3000/rails_info/properties

In a console:
Rails::VERSION::STRING

“1.1.6”

(At last, a question I can answer.)

Ed