Asp Forum - [ANN] Rails 1.1.5: Mandatory security patch (and other tidbits

David Heinemeier Hansson

8/9/2006 5:54:00 PM

We're still hard at work on Rails 1.2, which features all the new
dandy REST stuff and more, but a serious security concern has come to
our attention that needed to be addressed sooner than the release of
1.2 would allow. So here's Rails 1.1.5!

This is a MANDATORY upgrade for anyone not running on a very recent
edge (which isn't affected by this). If you have a public Rails site,
you MUST upgrade to Rails 1.1.5. The security issue is severe and you
do not want to be caught unpatched.

The issue is in fact of such a criticality that we're not going to dig
into the specifics. No need to arm would-be assailants.

So upgrade today, not tomorrow. We've made sure that Rails 1.1.5 is
fully drop-in compatible with 1.1.4. It only includes a handful of bug
fixes and no new features.

For the third time: This is not like "sure, I should be flooshing my
teeth". This is "yes, I will wear my helmet as I try to go 100mph on a
motorcycle through downtown in rush hour". It's not a suggestion, it's
a prescription. So get to it!

As always, the trick is to do "gem install rails" and then either
changing config/environment.rb, if you're bound to gems, or do "rake
rails:freeze:gems" if you're freezing gems in vendor.

P.S.: If you run a major Rails site and for some reason are completely
unable to upgrade to 1.1.5, get in touch with the core team and we'll
try to work with you on a solution.
--
David Heinemeier Hansson
http://www.loudth... -- Broadcasting Brain
http://www.base... -- Online project management
http://www.back... -- Personal information manager
http://www.rubyo... -- Web-application framework

28 Answers

Tom Jordan

8/9/2006 6:06:00 PM

I'm getting a Zlib::BufError when it gets to actionpack

On 8/9/06, David Heinemeier Hansson <david.heinemeier@gmail.com> wrote:
> We're still hard at work on Rails 1.2, which features all the new
> dandy REST stuff and more, but a serious security concern has come to
> our attention that needed to be addressed sooner than the release of
> 1.2 would allow. So here's Rails 1.1.5!
>
> This is a MANDATORY upgrade for anyone not running on a very recent
> edge (which isn't affected by this). If you have a public Rails site,
> you MUST upgrade to Rails 1.1.5. The security issue is severe and you
> do not want to be caught unpatched.
>
> The issue is in fact of such a criticality that we're not going to dig
> into the specifics. No need to arm would-be assailants.
>
> So upgrade today, not tomorrow. We've made sure that Rails 1.1.5 is
> fully drop-in compatible with 1.1.4. It only includes a handful of bug
> fixes and no new features.
>
> For the third time: This is not like "sure, I should be flooshing my
> teeth". This is "yes, I will wear my helmet as I try to go 100mph on a
> motorcycle through downtown in rush hour". It's not a suggestion, it's
> a prescription. So get to it!
>
> As always, the trick is to do "gem install rails" and then either
> changing config/environment.rb, if you're bound to gems, or do "rake
> rails:freeze:gems" if you're freezing gems in vendor.
>
> P.S.: If you run a major Rails site and for some reason are completely
> unable to upgrade to 1.1.5, get in touch with the core team and we'll
> try to work with you on a solution.
> --
> David Heinemeier Hansson
> http://www.loudth... -- Broadcasting Brain
> http://www.base... -- Online project management
> http://www.back... -- Personal information manager
> http://www.rubyo... -- Web-application framework
>
>

--
"Nothing will ever be attempted, if all
possible objections must first be
overcome." - Samuel Johnson

"Luck is what happens when
preparation meets opportunity." - Seneca

William Grosso

8/9/2006 6:15:00 PM

Me too. I'm on Windows, if that matters (does it work on other
platforms) ?

Bill

Tom Jordan wrote:
> I'm getting a Zlib::BufError when it gets to actionpack
>
> On 8/9/06, David Heinemeier Hansson <david.heinemeier@gmail.com> wrote:
>> We're still hard at work on Rails 1.2, which features all the new
>> dandy REST stuff and more, but a serious security concern has come to
>> our attention that needed to be addressed sooner than the release of
>> 1.2 would allow. So here's Rails 1.1.5!
>>
>> This is a MANDATORY upgrade for anyone not running on a very recent
>> edge (which isn't affected by this). If you have a public Rails site,
>> you MUST upgrade to Rails 1.1.5. The security issue is severe and you
>> do not want to be caught unpatched.
>>
>> The issue is in fact of such a criticality that we're not going to dig
>> into the specifics. No need to arm would-be assailants.
>>
>> So upgrade today, not tomorrow. We've made sure that Rails 1.1.5 is
>> fully drop-in compatible with 1.1.4. It only includes a handful of bug
>> fixes and no new features.
>>
>> For the third time: This is not like "sure, I should be flooshing my
>> teeth". This is "yes, I will wear my helmet as I try to go 100mph on a
>> motorcycle through downtown in rush hour". It's not a suggestion, it's
>> a prescription. So get to it!
>>
>> As always, the trick is to do "gem install rails" and then either
>> changing config/environment.rb, if you're bound to gems, or do "rake
>> rails:freeze:gems" if you're freezing gems in vendor.
>>
>> P.S.: If you run a major Rails site and for some reason are completely
>> unable to upgrade to 1.1.5, get in touch with the core team and we'll
>> try to work with you on a solution.
>> --
>> David Heinemeier Hansson
>> http://www.loudth... -- Broadcasting Brain
>> http://www.base... -- Online project management
>> http://www.back... -- Personal information manager
>> http://www.rubyo... -- Web-application framework
>>
>>
>
>

James Gray

8/9/2006 6:23:00 PM

On Aug 9, 2006, at 1:14 PM, William Grosso wrote:

>
> Me too. I'm on Windows, if that matters (does it work on other
> platforms) ?

I did update successfully on Mac OS X.

James Edward Gray II

Tom Jordan

8/9/2006 6:29:00 PM

I should have included this info:

Platform: Windows XP
gem --version ==> 0.9.0
ruby --version ==> ruby 1.84 (2006-04-14) [i386-mswin32]

On 8/9/06, William Grosso <wgrosso@wgrosso.com> wrote:
>
> Me too. I'm on Windows, if that matters (does it work on other
> platforms) ?

> Tom Jordan wrote:
> > I'm getting a Zlib::BufError when it gets to actionpack

--
"Nothing will ever be attempted, if all
possible objections must first be
overcome." - Samuel Johnson

"Luck is what happens when
preparation meets opportunity." - Seneca

khaines

8/9/2006 6:42:00 PM

Kent Sibilev

8/9/2006 6:49:00 PM

On 8/9/06, khaines@enigo.com <khaines@enigo.com> wrote:
> On Thu, 10 Aug 2006, David Heinemeier Hansson wrote:
>
> > This is a MANDATORY upgrade for anyone not running on a very recent
> > edge (which isn't affected by this). If you have a public Rails site,
> > you MUST upgrade to Rails 1.1.5. The security issue is severe and you
> > do not want to be caught unpatched.
> >
> > The issue is in fact of such a criticality that we're not going to dig
> > into the specifics. No need to arm would-be assailants.
>
> This seems misguided to me. One of the things that I have always
> appreaciated about the general open source environment is that when
> there is a security vulnerability it is announced. It is described.
> And it is fixed.
>
> The process is open, and it works because someone can go and look at
> the information about the vulnerability and learn from it, and they can
> have faith in the advice to upgrade because the vulnerability
> announcement is clear about what the exploit is and the risk from it.
>
+1

--
Kent
---
http://www.dat...

Matthew Smillie

8/9/2006 7:03:00 PM

On Aug 9, 2006, at 19:41, khaines@enigo.com wrote:

> On Thu, 10 Aug 2006, David Heinemeier Hansson wrote:
>
>> This is a MANDATORY upgrade for anyone not running on a very recent
>> edge (which isn't affected by this). If you have a public Rails site,
>> you MUST upgrade to Rails 1.1.5. The security issue is severe and you
>> do not want to be caught unpatched.
>>
>> The issue is in fact of such a criticality that we're not going to
>> dig
>> into the specifics. No need to arm would-be assailants.
>
> This seems misguided to me. One of the things that I have always
> appreaciated about the general open source environment is that when
> there is a security vulnerability it is announced. It is
> described. And it is fixed.
>
> The process is open, and it works because someone can go and look
> at the information about the vulnerability and learn from it, and
> they can have faith in the advice to upgrade because the
> vulnerability announcement is clear about what the exploit is and
> the risk from it.

There are competing interests at stake beyond adhering to general
open-source philosophy. If, for example, a vulnerability is very
easily exploited, and could cause data loss or other significant
damage, there's a very strong case to be made for fixing first and
giving explicit documentation later.

In other words, if you lose your entire database two hours after the
announcement (because it was announced at 2am local time, say), it's
pretty cold comfort that the vulnerability was openly discussed and
evaluated according to all the best practices of the open-source
community.

In any case, the only thing missing is a spoon-fed description of the
vulnerability. The fix itself is public, and if you're into that
sort of thing, I'm sure you could get a good idea of the exploit by
examining changes to the source code.

matthew smillie.

James Britt

8/9/2006 7:06:00 PM

khaines@enigo.com wrote:

>
> This seems misguided to me. One of the things that I have always
> appreaciated about the general open source environment is that when
> there is a security vulnerability it is announced. It is described. And
> it is fixed.
>
> The process is open, and it works because someone can go and look at the
> information about the vulnerability and learn from it, and they can have
> faith in the advice to upgrade because the vulnerability announcement is
> clear about what the exploit is and the risk from it.

I agree. I understand there's value in insisting on applying the
upgrade rather than going into detail; people may decide that they can
simply patch the code themselves, or misunderstand the security risk and
put off the upgrade.

But that should be the individual's call.

Besides, if one does a diff from 1.1.4 and 1.1.5, wouldn't the problem
be exposed anyway? Security through obscurity is not going to be a big
hindrance to people intent on doing bad things. The cat's out of the bag.

--
James Britt

"In Ruby, no one cares who your parents were, all they care
about is if you know what you are talking about."
- Logan Capaldo

Michael Trier

8/9/2006 7:15:00 PM

Also getting the Zlib::BufError problem on Windows. Advice?

Michael

Stefan Klasen

8/9/2006 7:22:00 PM

As mentioned in the rubyonrails weblog a "gem install rubyzip" should fix it.

Stefan

On 8/9/06, Michael Trier <mtrier@gmail.com> wrote:
> Also getting the Zlib::BufError problem on Windows. Advice?
>
> Michael
>
>

comp.lang.ruby

[ANN] Rails 1.1.5: Mandatory security patch (and other tidbits

David Heinemeier Hansson

Tom Jordan

William Grosso

James Gray

Tom Jordan

khaines

Kent Sibilev

Matthew Smillie

James Britt

Michael Trier

Stefan Klasen

x Login to ForumsZone