Re: [newtech-1] Critical rails security bug

From: Marcus H. Y.
Sent on: Thursday, January 10, 2013 7:17 PM
+1 Peter.


On Thu, Jan 10, 2013 at 5:23 PM, Hanan <[address removed]> wrote:
Peter, Joly: 
Thanks for getting the message out to list.   I'm sure I'm not the only one who benefited from this. 

-Hanan


On Thu, Jan 10, 2013 at 10:03 AM, Peter Bell <[address removed]> wrote:
Hi All,

In my experience a lot of entrepreneurs have rails apps in development or production but are not subscribed to the rails security group at https://groups.google.com/forum/#!topic/rubyonrails-security

If you have a rails app, check with your developer(s) (whether full time or contract) and ask them about the latest updates to rails and whether they've deployed it yet:

They address a critical security issue (https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI) that you *need* to get patched if you have an app in production.

This hit two days ago, so it should be patched on all of your production apps and any development or staging apps with valuable data or that are running on physical servers that you own (a development only app on heroku is less critical).

While you're at it, sign up for the security updates for rails (or your production framework(s)). It may be the responsibility of developers to keep up with this, but it's you that is in real trouble if all of your customer data gets exploited. 

If all goes well, theoretically the patch just takes a few minutes. In practice, the developer will have to ensure the app is still working well which could take a while depending on how comprehensive your automated tests are. If the patch happens to break something, it'll take an indeterminate amount of time to fix, so for contractors you're looking at anything from a free fix or one hour bill to a 1-3 hour project to fix and test to a small risk of a larger project if the fix happens to break something.

Best Wishes,
Peter






--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Peter Bell ([address removed]) from NY Tech Meetup.
To learn more about Peter Bell, visit his/her member profile
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]





--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Hanan ([address removed]) from NY Tech Meetup.
To learn more about Hanan, visit his/her member profile Meetup, POB 4668 #37895 NY NY USA 10163 | [address removed]

Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy