Anyone who maintains a server with or uses the popular development framework Ruby on Rails
should be aware of a severe security flaw in the suite. Warning of an immediate required upgrade
, RoR has announced today on their site that the 1.1.5 release will fix the flaw. They are quite insistent on getting it across that this is something that must be taken care of:
This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn’t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.
Whether a panic upgrade or a silent approach would have been best isn't really the issue now, but making sure that you are patched is. Non-developers can pretty much ignore this, though if you maintain a site on a server that uses RoR you may want to make sure your host provider knows. If you are using a very old version of RoR, 1.0 or earlier, you are unaffected
by this flaw. The particular details of how to replicate or identify the flaw aren't being made available by them.