From the ISC:
A new version of Ruby on Rails (a very popular framework for developing database-backed web applications) has been released which patches a critical security vulnerability.
The details about the vulnerability have not been disclosed yet, but the authors urge everyone to patch as soon as possible: “This is a MANDATORY upgrade for anyone not running on a very recent edge”.
Unfortunately, they didn’t specify what this “very recent edge” exactly is, so you can’t say if you are vulnerable or not. We can confirm, though, that all older versions (0.13, 0.14, 1.0 and 1.1.x) are vulnerable.
The new version (1.1.5) is supposed to be completely compatible with 1.1.4, however we would recommend that you check the original post about this available at http://weblog.rubyonrails.com/.
The new version can be downloaded from http://rubyforge.org/frs/?group_id=307.
UPDATE: There is a part two to this problem apparently. Here is the link for the full story.
[tags]Ruby On Rails, Ruby Vulnerability, Exploit[/tags]
