"open-source web framework that is optimized for programmer happiness " and a complete lack of quality in the code being produced.
'grammers need sent back to school.
Popular programming framework Ruby on Rails has two critical security vulnerabilities - one allowing anyone to execute commands on the servers running affected web apps. The newly uncovered bugs both involve the parsing and handling of data supplied by visitors to a Rails application. The CVE-2013-0156 hole is the more severe …
This post has been deleted by its author
Or is there supposed to be something called testing BEFORE you spaff something out to world + dog?
Why release it at all if you have to patch it on the spot, AND tell everyone the problem is there for them to exploit to boot... Fix first release later surely?
It makes you wonder how dumb the generality of the human race is going to/has gotten if the 'intelligentsia' can make cock ups of such platinum plated proportions...
"am I missing something"
Yep, you are probably not living in the real world.
"I'd like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two extremely critical security fixes so please update IMMEDIATELY."
This actually means the patches are actually in 3.2.11, 3.1.10, 3.0.19, and 2.3.15, actually.
"tell everyone the problem is there for them to exploit to boot"
Uh... yeah. Release an open-source update but not tell anyone that it's about this little fix to cover up THIS ACCESS ALL AREAS MULTIPASS. Yeah, those sysops will leisurely update laters, no need to tell them to hurry. Bad guys can't into grep, I'm sure.
I think AC has been the victim of a XAP exploit (aka cross article posting). Clearly the comment was made on a completely different article. I suggest El Reg check their servers for evidence of this dreadful XAP attack. The root cause no doubt is Bill Gates himself if AC is to be believed.
This is coming from an avowed Microsoft hater and Penguin hugger here.
So you can readily understand the message, I will emphasize it:
Bash Microsoft for the bullshit it is actually responsible for; BUT Microsoft is NOT responsible for Ruby on Rails.
GET THAT!!!!
Its ugly I agree, but I'd hope most of the implementations are running as some id other than root.
Hope being the key word.
ROR happily NOT part of my environments. But I see that dev group over there what decided they'd do better on VPS's and running it themselves are running round in circles way later than they'd normally be up and working. I expect a phone call soon.
The Java 0 day exploit is related to user's PC running Java, this means if you are developing java applications that require the end user to run Java Virtual Machine then there could be issues.
If you are developing Java applications that run through tomcat/jboss etc that require the user to simply have a browser then this is not as bad as you think and certainly nothing like the ROR 0 day exploit