Anyone using Ruby on Rails should upgrade their installation to version 1.5 immediately. Apparently the Rails team found out about a flaw so completely terrifying that they aren’t even releasing details of the bug until after folks have ample opportunity to patch it. They haven’t even revealed details of how far back you have to go to get to a “safe” version – probably for fear that enterprising attackers would look at the changesets and identify where the flaw was introduced.
Any guesses as to what the bug entails? My money is on some sort of injection flaw – either SQL or Command. A distant second would be some sort of Cross-Site Scripting problem (XSS). We shall see…
dan _at_ denimgroup.com