Have full disclosure for code vulnerabilities
The Rails core team released 1.1.6 of the framework today, a day after 1.1.5 was released. This was to fix a serious vulnerability in the Routes module. The core team has been extremely prompt in publicising the hole and in releasing fixes.
However(you know there had to be one), I take issue with how the first fix release (1.1.5) was handled. It appears that this release did not fully rectify the problem, hence the need for 1.1.6. While DHH revealed the reasons for 1.1.5, he did not detail exactly what was wrong, opting for a security through obscurity approach.
In retrospect, a full disclosure policy would have been a better move. This would have given developers more information in deciding whether to shut down their sites, in view of the implications(data loss/theft et al) of having it compromised.
That said, if you’re running a rails web application in the wild, UPGRADE NOW.
EDIT: mixed up my rails versions, doh!
Jason Young said,
August 11th, 2006 at 6:43 pm
You mean 1.1.6 and 1.1.5 don’t you? Unless you are remarkably prescient :-)
Doug said,
August 11th, 2006 at 9:16 pm
Yea Jason, you’re right. Going to blame my dog for this mistake, ;-)