On 10/08/06, Daniel B. [email protected] wrote:
This has the consequence of making what you say seem a bit alarmist, and
making what DHH said seem a bit ridiculous. “No need to arm would be
assailants”? Man, that train has already left the station…
And in the interim would-be attackers are in no way hampered by the
silence on this issue. Just doing a diff between the different gem
versions is enough to hone in on the likely area of the code. So
would it really hurt to mention in the announcement that it’s a SQL
injection attack or a URL hack or a file upload issue or whatever so
people would at least know what to look for?
That way people could assess the risks / potential for harm for their
specific application and help them put together a upgrade plan,
instead of the “oh, shit, you need to upgrade NOW” warning. Running
around blinding running ‘gem install rails -y’ on all your servers
doesn’t really instill confidence in the process. I accept this is the
first (at least publicised) time rails has had any significant
security issue so this is a learning process for most people.
Now, about the fact that dev.rubyonrails.org is down right
now…curiouser and curiouser
I think Trac has been down for quite a while recently but certainly
doesn’t help matters.
Paul.