Berger, Daniel
8/9/2006 7:01:00 PM
> -----Original Message-----
> From: khaines@enigo.com [mailto:khaines@enigo.com]
> Sent: Wednesday, August 09, 2006 12:42 PM
> To: ruby-talk ML
> Subject: Re: [ANN] Rails 1.1.5: Mandatory security patch (and
> other tidbits)
>
>
> On Thu, 10 Aug 2006, David Heinemeier Hansson wrote:
>
> > This is a MANDATORY upgrade for anyone not running on a very recent
> > edge (which isn't affected by this). If you have a public
> Rails site,
> > you MUST upgrade to Rails 1.1.5. The security issue is
> severe and you
> > do not want to be caught unpatched.
> >
> > The issue is in fact of such a criticality that we're not
> going to dig
> > into the specifics. No need to arm would-be assailants.
>
> This seems misguided to me. One of the things that I have always
> appreaciated about the general open source environment is that when
> there is a security vulnerability it is announced. It is described.
> And it is fixed.
>
> The process is open, and it works because someone can go and look at
> the information about the vulnerability and learn from it,
> and they can
> have faith in the advice to upgrade because the vulnerability
> announcement is clear about what the exploit is and the risk from it.
I kinda took this message to mean that they would give folks some time
to upgrade before (eventually) releasing the details. That's fairly
standard procedure, isn't it? Maybe not, though.
- Dan
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.