Oh mate! Lifesaver to the max! :) I almost got out the petrol can to set fire to the office and do a runner!
|Posted||Wed, 9 Jan 2013 01:33 AM UTC|
|Last Update||Wed, 9 Jan 2013 03:47 AM UTC (220 weeks ago)|
If you are running any Ruby on Rails based websites please check http://arstechnica.com/security/2013/01/extremely-crtical-ruby-on-rails-bug-threatens-more-than-200000-sites/
You will need to update your server to avoid exploits.
Note: this will not affect most customers. Only those customers who have installed Rails.
If you need us to help, please pop in a support ticket.
The fix is to either a) 'upgrade everything' or b) disable the vulnerable code. The 'upgrade everything' may cause compatibility issues. And can be difficult to revert. Have your rails developer run a "gem update" then test the changes.
Else disable the vulnerable code in your apps initialization code. See https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
If you change the initialization code be sure to commit that code change to your version control repository. If you'd like us to change that just provide us the location / directory of that initialization code and the commands you use to restart rails on your server. Also provide a URL that we can use to test that your app is working as expected after the update.
Disabling the vulnerable feature is easy enough to revert. For example, after you run a "gem update"#
Log in to subscribe to changes to this notice.
Set your contact details for future notifications.