Major Security Hole Found In Rails 177
mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.
Diff? (Score:5, Insightful)
meanwhile... (Score:5, Insightful)
RoR lacks maturity (Score:5, Insightful)
This is an example of why many major industries stay away from the "bleeding-edge" of tech products.
Only when something has been in the market long enough for people to find the holes, either by internal testing or by discovery of in-the-wild exploits can it be considered for the "higher" end of the market. It's unfortunate that it has happened to Rails, which is a great framework but it's another reason to staty with the more established web frameworks such as JSP/Struts.
Re:RoR lacks maturity (Score:5, Insightful)
Re:odd... (Score:4, Insightful)
Re:odd... (Score:5, Insightful)
Um... by saying, like they did, "patch fast"? You seem to have completely missed the difference between telling people there's a hole (allows people to fix it but makes people have to find the hole to exploit it) and detailing what the hole is and why it's a problem (a free lunch for the malicious). The users are aware that a patch needs to be made; the would-be-attackers aren't aware of the compromising details.
The kink, as noted elsewhere in this thread, is that it's a flag that tells those would-be-attackers that there IS a large hole at the moment, but the tradeoff - users can in general update faster than it takes to find the hole and write an exploit for it - is ok here.
Mod parent insightful (Score:5, Insightful)
Eivind.
Mod parent informative (Score:3, Insightful)
Re:RoR lacks maturity (Score:5, Insightful)
However I fail to see the relationship between Security issues and Maturity. Internet Explorer is mature and you still get your weekly critical security flaw.
get a grip peeps (Score:4, Insightful)
yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes
I reckon the rails guys are handling this pretty well, makes sense not to just release the details straight off the bat, give people a couple of days to plug the holes then they can discuss the flaw
fuckin' hell it's not like MS hasn't had to do countless 'immediate' patches
people are using this whole thing as an excuse to unfairly judge rails - hell if you don't like it then at least argue against it based on genuine issues with it - which I'm sure there must be, since there are pros and cons for any software
Re:get a grip peeps (Score:1, Insightful)
yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes
The difference is that other vendors supply patches for versions in common use instead of simply telling you to upgrade to a newer major version and refusing to tell you what the problem is so you can fix it yourself in the older version. And other vendors usually have at least some clue about which versions are affected instead of saying one thing, then changing their story, and then admitting that they don't have a fucking clue about what versions are affected.
Funny / True (Score:5, Insightful)
I'm surprised the 37 signals guys haven't done a freebie consulting job to get their shit straight.
(or maybe they have and PA is a simply realistic example of RoR under load...)
Re:RoR lacks maturity (Score:5, Insightful)
Seems to be a SQL injection sploit (Score:4, Insightful)
Re: Major Security Hole Found In Rails (Score:1, Insightful)
Re: Major Security Hole Found In Rails (Score:5, Insightful)
Re:get a grip peeps (Score:4, Insightful)
Shrieking hyperbole aside - no they're not, the best ones (and the ones you should be using unless you've bought all the marketing BS) aren't. Assuming for one minute that you aren't a hobbyist or a schoolchild but have a coding job which depends on your reputation (difficult as you've taken the brave stance of beiing an AC) you would know that this titbit of news has left a lot of people high and dry. They have apps on production servers not knowing whether this would compromise just their RoR app or the entire server.
As to handling it well, no I don't think so. A simple diff will show what the issue is and I'm betting that plenty of people have already done that (especially judging by some of the recent posts), so not telling people what it is just adds to the uncertainty.
You're right about MS. That is why people don't use MS as an internet platform if they can help it. Look it *nix versus MS Server and Apache versus IIS. MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.
There are plenty of pros and cons for Rails and personally I like it more than I dislike it, but the reality is it isn't mature and it isn't enterprise ready.
Is that what the Ruby on Rails code is like? (Score:3, Insightful)
Put simply, that is some truly awful code. I'm not sure if it could get any more unclear. When it comes to writing secure, solid software products, you need absolute clarity. The more obscure your code is, the easier it is to miss corner cases or invalid inputs. It's missing those cases that often leads to severe security exploits.
Re:Funny / True (Score:3, Insightful)
Re:How few? (Score:3, Insightful)
Re:Funny / True (Score:3, Insightful)
As someone currently using Basecamp, you're not far off.
Don't get me wrong -- it's good for what it is, and the price is right. That said, I'd give good odds that in two years, something similar and better will occupy Basecamp's market and mindshare. Sometimes, positive buzz is good for a product; other times, it primarily serves to draw the attention of those able to build a better mousetrap.