[CODE4LIB] Extremely critical Ruby on Rails bug
Folks, I know a lot of you are running Ruby on Rails for various projects; just wanted to be sure you saw this critical security issue with all versions of Rails: http://arstechnica.com/security/2013/01/extremely-crtical-ruby-on-rails-bug- threatens-more-than-20-sites/ In short, the following versions are safe: 3.2.11, 3.1.10, 3.0.19, or 2.3.15 Cheers, -Ian Walls Web Services and Emerging Technologies Librarian UMass Amherst Libraries
Re: [CODE4LIB] Extremely critical Ruby on Rails bug
The Phusion folks did a nice summary write up. http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/#.UOX7xfhdeHG On Wed, Jan 9, 2013 at 6:27 AM, Ian Walls iwa...@library.umass.edu wrote: Folks, I know a lot of you are running Ruby on Rails for various projects; just wanted to be sure you saw this critical security issue with all versions of Rails: http://arstechnica.com/security/2013/01/extremely-crtical-ruby-on-rails-bug- threatens-more-than-20-sites/ In short, the following versions are safe: 3.2.11, 3.1.10, 3.0.19, or 2.3.15 Cheers, -Ian Walls Web Services and Emerging Technologies Librarian UMass Amherst Libraries
Re: [CODE4LIB] Extremely critical Ruby on Rails bug
That appears to be a different issue. The Phusion post is talking about CVE-2012-5664, but this new one is CVE-2013-0156. Still, lots of trouble. Mike -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Patrick Berry Sent: Wednesday, January 09, 2013 10:06 AM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Extremely critical Ruby on Rails bug The Phusion folks did a nice summary write up. http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/#.UOX7xfhdeHG On Wed, Jan 9, 2013 at 6:27 AM, Ian Walls iwa...@library.umass.edu wrote: Folks, I know a lot of you are running Ruby on Rails for various projects; just wanted to be sure you saw this critical security issue with all versions of Rails: http://arstechnica.com/security/2013/01/extremely-crtical-ruby-on-rail s-bug- threatens-more-than-20-sites/ In short, the following versions are safe: 3.2.11, 3.1.10, 3.0.19, or 2.3.15 Cheers, -Ian Walls Web Services and Emerging Technologies Librarian UMass Amherst Libraries
Re: [CODE4LIB] Extremely critical Ruby on Rails bug
Patrick, that is not the same vulnerability. That one was fixed by 3.2.10, the latest vulnerability is fixed by 3.2.11. The more recent vulnerability is far more serious and can result in arbitrary code execution. Regards, Justin Coyne Data Curation Experts On Wed, Jan 9, 2013 at 11:06 AM, Patrick Berry pbe...@gmail.com wrote: The Phusion folks did a nice summary write up. http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/#.UOX7xfhdeHG On Wed, Jan 9, 2013 at 6:27 AM, Ian Walls iwa...@library.umass.edu wrote: Folks, I know a lot of you are running Ruby on Rails for various projects; just wanted to be sure you saw this critical security issue with all versions of Rails: http://arstechnica.com/security/2013/01/extremely-crtical-ruby-on-rails-bug- threatens-more-than-20-sites/ In short, the following versions are safe: 3.2.11, 3.1.10, 3.0.19, or 2.3.15 Cheers, -Ian Walls Web Services and Emerging Technologies Librarian UMass Amherst Libraries