[ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!
144 views
Skip to first unread message
Aaron Patterson
Jan 2, 2013, 4:28:36 PM1/2/13
to rubyonra...@googlegroups.com, rubyonra...@googlegroups.com, ruby...@ruby-lang.org
Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that **all users upgrade immediately**.
The security identifier is CVE-2012-5664, and you can read about the issue [here](add link).
For other change in each particular release, please see the CHANGELOG corresponding to that version. For all commits in each release, please follow the links below:
* [Changes in 3.2.10](https://github.com/rails/rails/compare/v3.2.9...v3.2.10)
* [Changes in 3.1.9](https://github.com/rails/rails/compare/v3.1.8...v3.1.9)
* [Changes in 3.0.18](https://github.com/rails/rails/compare/v3.0.17...v3.0.18)
We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release.
To that end, we've minimized the number of changes in each release so that upgrading should be as smooth as possible.
Happy Holidays!
<3<3<3
--
Aaron Patterson
http://tenderlovemaking.com/
The security identifier is CVE-2012-5664, and you can read about the issue [here](add link).
For other change in each particular release, please see the CHANGELOG corresponding to that version. For all commits in each release, please follow the links below:
* [Changes in 3.2.10](https://github.com/rails/rails/compare/v3.2.9...v3.2.10)
* [Changes in 3.1.9](https://github.com/rails/rails/compare/v3.1.8...v3.1.9)
* [Changes in 3.0.18](https://github.com/rails/rails/compare/v3.0.17...v3.0.18)
We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release.
To that end, we've minimized the number of changes in each release so that upgrading should be as smooth as possible.
Happy Holidays!
<3<3<3
--
Aaron Patterson
http://tenderlovemaking.com/
Aaron Patterson
Jan 2, 2013, 4:35:11 PM1/2/13
to Aaron Patterson, rubyonra...@googlegroups.com, rubyonra...@googlegroups.com, ruby...@ruby-lang.org
On Wed, Jan 02, 2013 at 01:28:36PM -0800, Aaron Patterson wrote:
> Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that **all users upgrade immediately**.
>
> The security identifier is CVE-2012-5664, and you can read about the issue [here](add link).
Oops! Forgot the CVE link:
> Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that **all users upgrade immediately**.
>
> The security identifier is CVE-2012-5664, and you can read about the issue [here](add link).
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/c2353369fea8c53
Thanks for your patience!
Ryan Bigg
Jan 2, 2013, 7:49:24 PM1/2/13
to rubyonra...@googlegroups.com
Thank you, Aaron, for your work on Rails!
<3 <3 <3
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To unsubscribe from this group, send email to rubyonrails-co...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
>
<3 <3 <3
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To unsubscribe from this group, send email to rubyonrails-co...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
>
Rodrigo Rosenfeld Rosas
Jan 3, 2013, 6:09:12 AM1/3/13
to rubyonra...@googlegroups.com
Em 02-01-2013 19:28, Aaron Patterson escreveu:
> Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that **all users upgrade immediately**.
... unless you're using Sequel instead of AR like me ;)
> Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that **all users upgrade immediately**.
Hongli Lai
Jan 3, 2013, 8:16:39 AM1/3/13
to rubyonra...@googlegroups.com, rubyonra...@googlegroups.com, ruby...@ruby-lang.org, tende...@ruby-lang.org
This article explains how the vulnerability works, how it is triggered and what the facts are: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
Michael Koziarski
Jan 3, 2013, 1:21:45 PM1/3/13
to rubyonra...@googlegroups.com
On Friday, 4 January 2013 at 2:16 AM, Hongli Lai wrote:
This article explains how the vulnerability works, how it is triggered and what the facts are: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
Please don't give people misleading advice Hongli, when we told people they should upgrade immediately we meant it. It *is* exploitable under some circumstances, so people should be upgrading immediately to avoid the risk.
dburry
Jan 4, 2013, 1:18:01 AM1/4/13
to rubyonra...@googlegroups.com, mic...@koziarski.com
There's a really big difference between these two potential scenarios:
(a) every single rails app I've ever written that uses find_by_*(params[*]) is immediately and completely compromised by anyone in the world with a simple well crafted url
-and-
(b) every single rails app I've ever written might be completely compromised if I've done my code in certain ways that are not common, like somehow converting user supplied string keys to symbols (authlogic being only an example).
In either case, yes, I should "immediately" upgrade my rails to avoid the risk, since "complete compromise" is a pretty severe thing to risk (no matter how remote the chance). Let no man mistake that, or dull that message.... Let's upgrade! Don't put it off.
But the difference between (a) and (b) is in how much ridiculous sums of money should be spent on how many sleepless man-nights. The difference also can be in some manager deciding to ban rails from his company (or not), or some large customer of some rails-centric company deciding to not hire that company any longer (or keep hiring them).
I can understand pushing for upgrades, reducing liability, being on the safe side, etc, but please don't overstate the issue. If it's (a), please don't be nebulous about it, just plainly state that it's (a) and provide proof if people disagree. But if it's (b), please don't imply that it's (a).
Dave
(a) every single rails app I've ever written that uses find_by_*(params[*]) is immediately and completely compromised by anyone in the world with a simple well crafted url
-and-
(b) every single rails app I've ever written might be completely compromised if I've done my code in certain ways that are not common, like somehow converting user supplied string keys to symbols (authlogic being only an example).
In either case, yes, I should "immediately" upgrade my rails to avoid the risk, since "complete compromise" is a pretty severe thing to risk (no matter how remote the chance). Let no man mistake that, or dull that message.... Let's upgrade! Don't put it off.
But the difference between (a) and (b) is in how much ridiculous sums of money should be spent on how many sleepless man-nights. The difference also can be in some manager deciding to ban rails from his company (or not), or some large customer of some rails-centric company deciding to not hire that company any longer (or keep hiring them).
I can understand pushing for upgrades, reducing liability, being on the safe side, etc, but please don't overstate the issue. If it's (a), please don't be nebulous about it, just plainly state that it's (a) and provide proof if people disagree. But if it's (b), please don't imply that it's (a).
Dave
Hongli Lai
Jan 4, 2013, 8:39:52 AM1/4/13
to rubyonra...@googlegroups.com, mic...@koziarski.com
I will update the article with what you said here.
Reply all
Reply to author
Forward
0 new messages