“This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn�t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.

The issue is in fact of such a criticality that we�re not going to dig into the specifics. No need to arm would-be assalients.”

Im guesing it is an sql injection hole allowing someone to remotely blow away your entire database. Rails has been pretty good so far in regards to sql injection so its about time something was found.

For the lazy ones among us, lets just hope the hole remains top secret… at least until after I get back from vacation.

I quickly upgraded 3 servers to 1.1.5 in about 10 mins. For those of you who upgraded to typo-4.0 a couple week ago make sure to freeze rails to the new version (it will have freezed to you 1.1.4 in /vendor)

rake rails:freeze:gems

More Info