Developers using the emerging open source Ruby on Rails tool are urged to upgrade to version 1.1.5 to fix a severe undisclosed security hole.
In a blog posting, the Ruby on Rails management team said the upgrade is mandatory due to the seriousness of the threat to the framework, which is used to construct database-backed Web applications. "If you have a public Rails site, you must upgrade to Rails 1.1.5," the posting said. "The security issue is severe and you do not want to be caught unpatched."
The issue is so critical that specifics on the vulnerability and how it could be exploited are being withheld, the Rails team said, adding that there's "no need to arm would-be assailants. Full details will be released once everyone has had a "fair chance" to upgrade.
In a later posting, the Ruby on Rails team said Rails 1.0 and prior are not affected by the flaw, nor is Rails 1.1.3. "We're currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are," the team said, adding that the only versions affected are 1.1.0, 1.1.1, 1.1.2, and 1.1.4.
Users can grab an updated version of Ruby on Rails via Ruby's Gems package management system, or they can manually download the package from the Rails Web site.
Danish developer David Heinemeier Hansson released the framework for Rails in July 2004, and it reached version 1.0 last year.
Apple Computer Inc. announced this week that Ruby on Rails will ship along with the next version of the Mac OS. Version 10.5, codenamed Leopard, is expected to be released in the spring of 2007.