Critical rails security bug

From: Peter B.
Sent on: Thursday, January 10, 2013 10:00 AM
Hi All,

In my experience a lot of entrepreneurs have rails apps in development or production but are not subscribed to the rails security group at https://groups.google.com/forum/#!topic/rubyonrails-security

If you have a rails app, check with your developer(s) (whether full time or contract) and ask them about the latest updates to rails and whether they've deployed it yet:

They address a critical security issue (https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI) that you *need* to get patched if you have an app in production.

This hit two days ago, so it should be patched on all of your production apps and any development or staging apps with valuable data or that are running on physical servers that you own (a development only app on heroku is less critical).

While you're at it, sign up for the security updates for rails (or your production framework(s)). It may be the responsibility of developers to keep up with this, but it's you that is in real trouble if all of your customer data gets exploited. 

If all goes well, theoretically the patch just takes a few minutes. In practice, the developer will have to ensure the app is still working well which could take a while depending on how comprehensive your automated tests are. If the patch happens to break something, it'll take an indeterminate amount of time to fix, so for contractors you're looking at anything from a free fix or one hour bill to a 1-3 hour project to fix and test to a small risk of a larger project if the fix happens to break something.

Best Wishes,
Peter


Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy