Ruby on Rails development tool has 'serious' flaw

Bill Brenner

Developers using the emerging open source Ruby on Rails tool are urged to upgrade to version 1.1.5 to fix a severe undisclosed security hole.

In a blog

    Requires Free Membership to View

posting, the Ruby on Rails management team said the upgrade is mandatory due to the seriousness of the threat to the framework, which is used to construct database-backed Web applications. "If you have a public Rails site, you must upgrade to Rails 1.1.5," the posting said. "The security issue is severe and you do not want to be caught unpatched."

The issue is so critical that specifics on the vulnerability and how it could be exploited are being withheld, the Rails team said, adding that there's "no need to arm would-be assailants. Full details will be released once everyone has had a "fair chance" to upgrade.

In a later posting, the Ruby on Rails team said Rails 1.0 and prior are not affected by the flaw, nor is Rails 1.1.3. "We're currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are," the team said, adding that the only versions affected are 1.1.0, 1.1.1, 1.1.2, and 1.1.4.

Users can grab an updated version of Ruby on Rails via Ruby's Gems package management system, or they can manually download the package from the Rails Web site.

Danish developer David Heinemeier Hansson released the framework for Rails in July 2004, and it reached version 1.0 last year.

Apple Computer Inc. announced this week that Ruby on Rails will ship along with the next version of the Mac OS. Version 10.5, codenamed Leopard, is expected to be released in the spring of 2007.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: