Rails Security Vulnerability

[johnjohndoe]

Hi there. I just want to remind you to update the Rails version running currently ... It's 3.1.1 at the moment as far as I can see.

Here is what Heroku wrote:

A serious security vulnerability has been found in the Ruby on Rails framework. This exploit affects nearly all applications running Rails and a patch has been made available. [...]

The following Rails versions have been patched and deemed safe from this exploit: 3.2.11 3.1.10 3.0.19 2.3.15

How to Upgrade: Open the Gemfile in the affected application and change the Rails version to one listed above: rails '3.1.10'

Then run: $ bundle update rails

Then commit the results to git, and push to Heroku: $ git push heroku master

We might wanna set it the Gemfile to rails '~> 3.1.10'.

[wikimatze]

Dunno if that will run on our servers.

[johnjohndoe]

Test it then you know. Otherwise wait for a hacker to pass by.

[christoph-buente]

The app is not running on heroku anymore. And i did an upgrade last night for brokenlifts.org. Rest asured. And we're not using AuthLogic for authorization, which is causing the vulnerability in conjunction with rails.

[christoph-buente]

Seems to me i did not upgrade rails but the newrelic client, which was somehow affected as well. I'll take care of the upgrade tomorrow unless someone else opts in first.

[johnjohndoe]

Thanks for clarifying this. I was not sure if you are still running on Heroku. I thought it might be worth a note anyways.

[christoph-buente]

Alright, updated and deployed.

[johnjohndoe]

:+1: Thanks for the time.