[ISN] Rails users urged to fix flaw immediately

From: InfoSec News (alerts@private)
Date: Thu Aug 10 2006 - 22:52:06 PDT


http://news.com.com/Rails+users+urged+to+fix+flaw+immediately/2100-1009_3-6104228.html

By Jonathan Bennett
Special to CNET News.com
August 10, 2006

Users of Ruby on Rails have been told to update their installations 
immediately, following the discovery of a security flaw in the popular 
open-source Web application framework.

The Ruby on Rails team members released a patch on Wednesday that they 
describe as "mandatory" for all public sites built using recent versions 
of the Web-application framework.

This patch fixes what the team called a "serious security concern,"  the 
precise nature of which hasn't been revealed, in all versions of Rails 
from 1.1 up to 1.1.4.

"The issue is in fact of such a criticality that we're not going to dig 
into the specifics," the team said in a statement. However, the flaw does 
appear to be in the Rails framework rather than in the Ruby language 
itself.

The team has promised to release more details of the problem in Rails, but 
said it wants to give users a chance to fix their systems before giving 
out information that could help attackers. Rails was created by David 
Heinemeier Hansson and reached version 1.0 in December of last year.

The updated version of Rails is available through Ruby's Gems package 
management system, or by downloading the package manually from the Rails 
Web site.

Jonathan Bennett of Builder UK reported from London.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Aug 10 2006 - 23:13:48 PDT