-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
As you may have heard, there is a critical vulnerability in Postgres,
which we use on Rubygems.org [1]. Fortunately, the risk is mitigated
by the fact that the DB server is accessible only from the application
server, therefore prevent arbitrary access from outside that app
machine's security group.
Regardless, we should upgrade the database server ASAP (David and I
are thinking this weekend) to completely prevent any security issues
going forward. This will require a short period - probably less than 5
minutes - of downtime for the application. Gem installation will
continue to function normally during that time, but no new pushes will
be accepted and users won't be able to visit Rubygems.org proper.
Thoughts on an ideal time to do this?
Thanks and let me know if you have any questions!
- -Sam
P.S. If you'd like to provide assistance with the Rubygems.org
infrastructure feel free to reach out to me (samkottler) in
#rubygems-aws on Freenode or emailing me at this address.
1.
http://www.postgresql.org/support/security/ - CVE-2013-1899
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iQEcBAEBAgAGBQJRXYfBAAoJEISlqUbIp1ilmAsIAJXw3mO7b2bx5IW6S3+aEKkT
+/58ztN2zAlvsx8IVNHfiCGRg1Ki+03GMlr/XUUGEaqvEwE+EmTzwwcZ4zTMPEzf
iYL0JpjIxahbSDVEt6ReLkEDRGC56BWpeAWhwlqR9MJJDZKECxXA2qht6wpvy2a0
okIsvsK86cNi4lxHNffgrXjn2r4ouSz0ZAeSaaGit169gpQFGMPeMIYuARBnW5E/
d8v7nS9of5qzQJfe8IOKfsllNfMqGr6pfiZQBZUfYIjxD1maRpfyuDNddrv0GTEw
D5u8EdNQnOgZ90RhvfEhXxpAIes1e98eX4V5v/lpzwFHk9qIJ/+ynDsQ6CBbn3Y=
=JbWo
-----END PGP SIGNATURE-----