

Rails 3.0.20 and 2.3.16 have been released - tamersalama
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/

======
speleding
As far as I can tell the latest Rails version (3.2.11) is not affected. Of
course, I only noticed this after frantically updating my gems. Sigh.

~~~
PetrolMan
Doesn't appear to affect 3.1.x or 3.2.x

------
epochwolf
Oh joy. We just patch the last bug in 2.3. My manager will not be happy.

~~~
jiggy2011
Could be worse, you could have developed everything with Java applets.

------
static_typed
Given we are still seeing more security issues with Rails, shouldn't the
developers down tools for 5 mins to stop with the shiny-shiny, and maybe
rewalk the codebase, the dependencies they set, and review things?

Yes, they are quick to band-aid the overall problem, and push out yet another
version bump, but, no one other there seems to really grasp the nettle and
admit too much auto, too much magic, too much opinionated design has meant a
framework with more holes than swiss cheese. We have only just started to see
the trickle of reported issues, before the flood.

Ironically, we had a call this morning from a customer that there rails app
server has been compromised, despite diligently patching and updating.

I would rather see one better update to Rails for the release versions,
arising from a proper audit, proactively closing the windows left from before,
rather than shutting one each time it is reported.

~~~
epochwolf
> Given we are still seeing more security issues with Rails, shouldn't the
> developers down tools for 5 mins to stop with the shiny-shiny, and maybe
> rewalk the codebase, the dependencies they set, and review things?

This is what's been happening and why we have seen a ton of releases.

~~~
eric970
+1. Exactly. This is why so many of these bugs are coming up now. It is a very
good thing.

