Rails 1.1.5: Mandatory security patch (and other tidbits)

We’re still hard at work on Rails 1.2, which features all the new
dandy REST stuff and more, but a serious security concern has come to
our attention that needed to be addressed sooner than the release of
1.2 would allow. So here’s Rails 1.1.5!

This is a MANDATORY upgrade for anyone not running on a very recent
edge (which isn’t affected by this). If you have a public Rails site,
you MUST upgrade to Rails 1.1.5. The security issue is severe and you
do not want to be caught unpatched.

The issue is in fact of such a criticality that we’re not going to dig
into the specifics. No need to arm would-be assailants.

So upgrade today, not tomorrow. We’ve made sure that Rails 1.1.5 is
fully drop-in compatible with 1.1.4. It only includes a handful of bug
fixes and no new features.

For the third time: This is not like “sure, I should be flossing my
teeth”. This is “yes, I will wear my helmet as I try to go 100mph on a
motorcycle through downtown in rush hour”. It’s not a suggestion, it’s
a prescription. So get to it!

As always, the trick is to do “gem install rails” and then either
changing config/environment.rb, if you’re bound to gems, or do “rake
rails:freeze:gems” if you’re freezing gems in vendor.

P.S.: If you run a major Rails site and for some reason are completely
unable to upgrade to 1.1.5, get in touch with the core team and we’ll
try to work with you on a solution.

David Heinemeier H.
http://www.loudthinking.com – Broadcasting Brain
http://www.basecamphq.com – Online project management
http://www.backpackit.com – Personal information manager
http://www.rubyonrails.com – Web-application framework

Just got this email, a big delay or the wrong message?

On Aug 12, 2006, at 4:48 PM, Abdur-Rahman A. wrote:

Just got this email, a big delay or the wrong message?

It looks like some mail server somewhere is a bit overloaded, and
some messages are being held for days for some users.

Mail I sent the list took 3 days to show up in my inbox. Which was
approximately 2 days and 23 hours after I got mail directly replying
to that message.

-faisal

David Heinemeier H. wrote:

The issue is in fact of such a criticality that we’re not going to dig
into the specifics. No need to arm would-be assailants.

So upgrade today, not tomorrow. We’ve made sure that Rails 1.1.5 is
fully drop-in compatible with 1.1.4. It only includes a handful of bug
fixes and no new features.

The above message was sent on Wednesday 9th August at 17:46 GMT. It
reached my ISP on Monday 14th August at 02:30 GMT.

Not the best way to get people to “upgrade today” :slight_smile:

Relevant headers:

Received: from lists.rubyonrails.org ([70.84.143.100]
helo=wrath.rubyonrails.com) by A.hopeless.aaisp.net.uk ([81.187.81.11])
with AAISP icebox mailer (build Apr 26 2006 09:48:24) for
[email protected]; Mon, 14 Aug 2006 03:30:53 +0100
Received: from 6d.8f.5446.static.theplanet.com
(localhost.rubyonrails.org [127.0.0.1]) by wrath.rubyonrails.com
(Postfix) with ESMTP id DC1593A8FB; Wed, 9 Aug 2006 17:58:13 +0000
(GMT)
Received: from nf-out-0910.google.com (nf-out-0910.google.com
[64.233.182.187]) by wrath.rubyonrails.com (Postfix) with ESMTP id
F279F3BA9F for [email protected]; Wed, 9 Aug 2006 17:46:02
+0000 (GMT)

regards

Justin

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs