RoR遭遇严重的安全危机！

 SearchAppSecurity.com story 报道了RoR的一个严重的安全漏洞，致使开发者不得不迅速推出一个安全补丁的版本，而且该版本需要强制升级。

由于这个错误非常严重，以至开发者不得不隐藏这个漏洞的细节，所以升级过程中的人们无法知道如何预防该漏洞带来的攻击。

  这样的官方发布的安全问题，可谓是给RoR狂热扑了一盆大冷水。RoR的开发者们甚至吓得都不敢公开的这个错误。然而这个错误只是一个开始，还远远没有结 束。从windows，j2ee，php任何开发都经历过这个过程。而他们都趋于稳定，尤其是j2ee,php在unix下的安全架构更是非常可靠，我们 积累了大量这个领域进行防范的经验。

原文地址：http://blog.csdn.net/danny_xcz/archive/2006/08/11/1049441.aspx

-----------------------------------------------------------------------------------------------------------------------

Ruby on Rails experiences serious security breach

A serious security vulnerability has forced the creators of Ruby on Rails to issue an immediate upgrade for the software. Version 1.1.5, which is being called a mandatory upgrade, is available now.

Rails 1.0 and prior, as well as 1.1.3, are not affected. The creators are still trying to determine how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are.

The vulnerability is so critical that the creators aren't disclosing any details so as to prevent attacks and protect people who are still in the process of upgrading.

From on the Riding Rails blog: "If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched."

Rails 1.1.5 is fully drop-in compatible with 1.1.4. It includes only a few bug fixes and no new features.

"As always, the trick is to do 'gem install rails' and then either changing config/environment.rb, if you're bound to gems, or do "rake rails:freeze:gems" if you're freezing gems in vendor," according to the advisory in the blog posting.

The creators are continuing their investigation into the breach and promise to issue a full report once it's complete and people have had enough time to upgrade.

附：Groovy轻松入门——Grails实战之GORM篇