RoR遭遇嚴(yán)重的安全危機(jī)!
?SearchAppSecurity.com story?報(bào)道了RoR的一個(gè)嚴(yán)重的安全漏洞,致使開發(fā)者不得不迅速推出一個(gè)安全補(bǔ)丁的版本,而且該版本需要強(qiáng)制升級(jí)。
由于這個(gè)錯(cuò)誤非常嚴(yán)重,以至開發(fā)者不得不隱藏這個(gè)漏洞的細(xì)節(jié),所以升級(jí)過程中的人們無(wú)法知道如何預(yù)防該漏洞帶來(lái)的攻擊。
?
這樣的官方發(fā)布的安全問題,可謂是給RoR狂熱撲了一盆大冷水。RoR的開發(fā)者們甚至嚇得都不敢公開的這個(gè)錯(cuò)誤。然而這個(gè)錯(cuò)誤只是一個(gè)開始,還遠(yuǎn)遠(yuǎn)沒有結(jié)
束。從windows,j2ee,php任何開發(fā)都經(jīng)歷過這個(gè)過程。而他們都趨于穩(wěn)定,尤其是j2ee,php在unix下的安全架構(gòu)更是非常可靠,我們
積累了大量這個(gè)領(lǐng)域進(jìn)行防范的經(jīng)驗(yàn)。
原文地址:http://blog.csdn.net/danny_xcz/archive/2006/08/11/1049441.aspx
-----------------------------------------------------------------------------------------------------------------------
A serious security vulnerability has forced the creators of Ruby on
Rails to issue an immediate upgrade for the software. Version 1.1.5,
which is being called a mandatory upgrade, is available now.
Rails 1.0 and prior, as well as 1.1.3, are not affected. The
creators are still trying to determine how contaminated 1.1.0, 1.1.1,
1.1.2, and 1.1.4 are.
The vulnerability is so critical that the creators aren't disclosing
any details so as to prevent attacks and protect people who are still
in the process of upgrading.
From on the Riding Rails blog: "If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched."
Rails 1.1.5 is fully drop-in compatible with 1.1.4. It includes only a few bug fixes and no new features.
"As always, the trick is to do 'gem install rails' and then either
changing config/environment.rb, if you're bound to gems, or do "rake
rails:freeze:gems" if you're freezing gems in vendor," according to the
advisory in the blog posting.
The creators are continuing their investigation into the breach and
promise to issue a full report once it's complete and people have had
enough time to upgrade.
附:Groovy輕松入門——Grails實(shí)戰(zhàn)之GORM篇