New Releases: 2.3.11 and 3.0.4
Two new versions of Ruby On Rails have been released today. As well as including a number of bugfixes they contain fixes for some security issues. The full details of each of the vulnerabilities are available on the rubyonrails-security ...
Security Vulnerability in Nested Attributes code in Ruby On Rails 2.3.9 and 3.0.0
There is a vulnerability in the nested attributes handling code in some versions of Ruby on Rails. An attacker could manipulate form parameters and make changes to records other than those the developer intended. This vulnerability has be...
Double Shot #534
I pulled the trigger and upgraded my main dev box to Snow Leopard. Took about 12 hours including some false starts, but all appears to be well.
Growl 1.2b2 – With Snow Leopard compatibility for GrowlMail.
Capistrano: Make sure there is something to deploy - Tip passed on by Matt Darby.
openid_engine – Rails engine wrapper around the...
Double Shot #533
Time to update Rails in your production applications.
iStatMenus 2.0 – I was happy to see this come out, since it’s one of the few things I missed after my Snow Leopard update killed the old version.
Ruby on Rails 2.3.4: Security Fixes – New version is out, as well as patches for 2.0, 2.1, and 2.2....
Ruby on Rails 2.3.4: Security Fixes
We’ve released Ruby on Rails 2.3.4, this release fixes bugs and introduces a few minor features. Due to the inclusion of two security fixes, all users of the 2.3 series are recommended to upgrade as soon as possible.
Security Fixes
...
Timing Weakness in Ruby on Rails
There is a weakness in the code Ruby on Rails uses to verify message
digests in the cookie store. Because it uses a non-constant time algorithm to
verify the signatures an attacker may be able to determine when a forged
signature is parti...
XSS Vulnerability in Ruby on Rails
There is a vulnerability in the escaping code for the form helpers in
Ruby on Rails. Attackers who can inject deliberately malformed unicode
strings into the form helpers can defeat the escaping checks and inject
arbitrary HTML.
Versio...
Users and Passwords
Last week I lost several productive hours resetting my ‘insecure’ password on several websites due to a security breach at a website I haven’t used in more than a decade, if you’ve ever used that site, you’d be well advised to change your password pretty much everywhere. In order to prevent this happening...
Minor Changes to the Rails Security Policy
After reviewing the feedback on the two recent security announcements we’ve made a few minor changes to the Ruby on Rails security policy.
The first change we’ve made is to include more information on what to do if you don’t recei...
DoS Vulnerability in Ruby
A Denial of Service vulnerability has been found and fixed in ruby. The vulnerability is due to the BigDecimal method mishandling certain large input values and can cause the interpreter to crash. This could be used by an attacker to cra......
Security Problem with authenticate_with_http_digest
A security problem has been reported with the digest authentication code in Ruby on Rails. This vulnerability can allow users to bypass your password protection. This vulnerability has been publicly disclosed on several websites, users a...
Unintrusive but secure passwordless ssh authentication
On a daily basis I need to log in to many remote servers inside or outside of Sun via SSH, often dozens of times per day. This can get pretty tiresome if you need to type in your password with every log in.
Some suggest setting up so-called "passwordl...
