Ruby on Rails development tool has 'serious' flaw

Those who use the emerging Ruby on Rails open source Web application development framework are urged to switch to version 1.1.5 to fix an undisclosed security hole.

Developers using the emerging open source Ruby on Rails tool are urged to upgrade to version 1.1.5 to fix a severe undisclosed security hole.

In a blog posting, the Ruby on Rails management team said the upgrade is mandatory due to the seriousness of the threat to the framework, which is used to construct database-backed Web applications. "If you have a public Rails site, you must upgrade to Rails 1.1.5," the posting said. "The security issue is severe and you do not want to be caught unpatched."

The issue is so critical that specifics on the vulnerability and how it could be exploited are being withheld, the Rails team said, adding that there's "no need to arm would-be assailants. Full details will be released once everyone has had a "fair chance" to upgrade.

In a later posting, the Ruby on Rails team said Rails 1.0 and prior are not affected by the flaw, nor is Rails 1.1.3. "We're currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are," the team said, adding that the only versions affected are 1.1.0, 1.1.1, 1.1.2, and 1.1.4.

Users can grab an updated version of Ruby on Rails via Ruby's Gems package management system, or they can manually download the package from the Rails Web site.

Danish developer David Heinemeier Hansson released the framework for Rails in July 2004, and it reached version 1.0 last year.

Apple Computer Inc. announced this week that Ruby on Rails will ship along with the next version of the Mac OS. Version 10.5, codenamed Leopard, is expected to be released in the spring of 2007.

Dig deeper on Software Development Methodology

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close