[ANN] Rails 1.1.5: Mandatory security patch (and other tidbits)

[gwtmp01]

And AFAIK, despite there being information released from 3rd
parties, like that blog entry, about the vulnerability now, there
is still no official statement.

Why is it that folks happily use open source software at no cost and
then
seem to expect that the accouterments of a legal/business/customer
relationship
must also exist with the authors of the software?

Or is it the other way around? That the open source folks want all the
*benefits* of a legal/business/customer relationship with their users
but
don't want to deal with any associated complaints/risks/liabilities?

It is probably a little of both.

Gary Wright

 

[William Grosso]

So, let's pretend for a moment that sometime within the next 24 hours, an
"official" explanation of the patch comes out. We'll then have seen the
following sequence:

1. Rails team notices issue and fixes issue.
2. Rails team issues patch and announces patch to community.
3. Rails team pauses while patch disseminates through world. Developers
who are really concerned about what the patch might contain have complete
access to changelogs and sourcecode and can figure out what's being
changed.
4. Rails team explains patch withing 48 hours

This is *good* performance. Whether or not it's open source or commercial,
this is good performance. The pause while the patch was disseminated was
probably the right action (certainly, any other course of action would have
been more questionable, and put more applications at risk).

They've given us an amazing framework, and they're behaving responsibly.

I, for one, want to publicly say "Thank you."


Bill

 

[Eric Hodel]

So, let's pretend for a moment that sometime within the next 24
hours, an
"official" explanation of the patch comes out. We'll then have seen
the
following sequence:

1. Rails team notices issue and fixes issue.
2. Rails team issues patch and announces patch to community.
3. Rails team pauses while patch disseminates through world.
Developers
who are really concerned about what the patch might contain have
complete
access to changelogs and sourcecode and can figure out what's being
changed.
4. Rails team explains patch withing 48 hours

This is *good* performance. Whether or not it's open source or
commercial,
this is good performance. The pause while the patch was
disseminated was
probably the right action (certainly, any other course of action
would have
been more questionable, and put more applications at risk).

They've given us an amazing framework, and they're behaving
responsibly.

I, for one, want to publicly say "Thank you."

This is the fourth vulnerability that I know in Rails of but the
first that has been fully acknowledged as such. Two were DOSs (one
which I discovered, one which was co-discovered by my company), the
third was described as a DOS but potentially was a vulnerability of
the same severity as this one.

 

[snacktime]

The only issue I have is with not disclosing the nature of the
problem. Upgrading without testing just isn't an option where I work.
If an application has to come down for adequate testing, that's how
it's done. We freeze the releases we run to the application, and in
some cases have applied patches against the source. Depending on the
nature of the problem, we could leave the applications up while we
test the new version of rails, or take them down if that was
necessary. However in a case like this we are flying blind. Not
disclosing the nature of the problem and it's potential impact is
simply the wrong approach. I'm sure the core team made the decision
they thought was best, it just happened to be the wrong decision.

Chris

 

[Andreas Schwarz]

This is the fourth vulnerability that I know in Rails of but the
first that has been fully acknowledged as such.

There's another one open:
http://wrath.rubyonrails.org/pipermail/rails-core/2006-July/002077.html

It's not as easily exploitable as the one that was fixed in 1.1.5, but
depending on the application it can be very dangerous, e.g. if the
string is used in a system call or in a SQL statement. I posted the
description and a fully tested and documented patch on the Rails-Core
list and on the bug tracker more than two weeks ago, with the tag
"Security" in the subject, but so far there hasn't even been a reaction
from the core developers.