<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Yep, this one's a biggie. You really need to update all your Rails apps, right away.<div><br></div><div>It's reasonably easy to create a DoS attack on any rails app using it: some of the guys on the team I'm working on right now proved it last night, shortly before we patched. It's only marginally less easy to craft writes into your database.<div><br></div><div>Chris<br><div><div><br></div><div><div><div>On 9 Jan 2013, at 06:58, Graham Ashton <<a href="mailto:graham@effectif.com">graham@effectif.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">That post covers the previous vulnerability. The ones announced last night are new (and more serious), leading to "upgrade immediately" recommendations.<br><br>Mark Burns <<a href="mailto:markthedeveloper@gmail.com">markthedeveloper@gmail.com</a>> wrote:<br><br><div dir="ltr">This gives a useful breakdown of the details<div><br></div><div> <a href="http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/" target="_blank">http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/</a>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 9 January 2013 06:20, Matthew Rudy Jacobs <span dir="ltr"><<a href="mailto:matthewrudyjacobs@gmail.com" target="_blank">matthewrudyjacobs@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I guess you all know.<div><br></div><div>But for anyone who hasn't yet heard.</div><div>All versions of rails need to be upgraded or patched.</div>
<div><br></div><div><a href="https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion" style="font-family:arial,sans-serif;font-size:13px" target="_blank">https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion</a><br>
</div></div>
<br>_______________________________________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org">Chat@lists.lrug.org</a><br>
<a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" target="_blank">http://lists.lrug.org/listinfo.cgi/chat-lrug.org</a><br>
<br></blockquote></div><br></div>
_______________________________________________<br>Chat mailing list<br><a href="mailto:Chat@lists.lrug.org">Chat@lists.lrug.org</a><br>http://lists.lrug.org/listinfo.cgi/chat-lrug.org<br></blockquote></div><br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">--<br>Chris Parsons<br><a href="mailto:chris.p@rsons.org">chris.p@rsons.org</a><br>http://twitter.com/chrismdp<br>http://pa.rsons.org<br><br><br><br></span>
</div>
<br></div></div></div></div></body></html>