Have full disclosure for code vulnerabilities
by Doug on Aug.11, 2006, under Rails
The Rails core team released 1.1.6 of the framework today, a day after 1.1.5 was released. This was to fix a serious vulnerability in the Routes module. The core team has been extremely prompt in publicising the hole and in releasing fixes.
However(you know there had to be one), I take issue with how the first fix release (1.1.5) was handled. It appears that this release did not fully rectify the problem, hence the need for 1.1.6. While DHH revealed the reasons for 1.1.5, he did not detail exactly what was wrong, opting for a security through obscurity approach.
In retrospect, a full disclosure policy would have been a better move. This would have given developers more information in deciding whether to shut down their sites, in view of the implications(data loss/theft et al) of having it compromised.
That said, if you’re running a rails web application in the wild, UPGRADE NOW.
EDIT: mixed up my rails versions, doh!
August 11th, 2006 on 6:43 pm
You mean 1.1.6 and 1.1.5 don’t you? Unless you are remarkably prescient
August 11th, 2006 on 9:16 pm
Yea Jason, you’re right. Going to blame my dog for this mistake,