[ANN] Rails 1.1.5: Mandatory security patch (and other tidbits)

I kinda took this message to mean that they would give folks some time
to upgrade before (eventually) releasing the details. That's fairly
standard procedure, isn't it? Maybe not, though.

- Dan

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.


-----Original Message-----
From: khaines@enigo.com [mailto:khaines@enigo.com]
Sent: Wednesday, August 09, 2006 12:42 PM
To: ruby-talk ML
Subject: Re: [ANN] Rails 1.1.5: Mandatory security patch (and
other tidbits)

On Thu, 10 Aug 2006, David Heinemeier Hansson wrote:

> This is a MANDATORY upgrade for anyone not running on a very recent
> edge (which isn't affected by this). If you have a public
Rails site,
> you MUST upgrade to Rails 1.1.5. The security issue is
severe and you
> do not want to be caught unpatched.
> The issue is in fact of such a criticality that we're not
going to dig
> into the specifics. No need to arm would-be assailants.

This seems misguided to me. One of the things that I have always
appreaciated about the general open source environment is that when
there is a security vulnerability it is announced. It is described.
And it is fixed.

The process is open, and it works because someone can go and look at
the information about the vulnerability and learn from it,
and they can
have faith in the advice to upgrade because the vulnerability
announcement is clear about what the exploit is and the risk from it.