Ruby on Rails just released a batch of updates to address a critical vulnerability that allows arbitrary code execution, SQL injection, and bypassing of authentication mechanisms. Needless to say, security holes don't get much worse than this. Since a lot of us are using Redmine and other RoR sites with WebFaction, I have two questions:
asked 09 Jan '13, 11:51 ehough |
We've already added new installers for Rails 2.3.15, 3.0.19, 3.1.10, and 3.2.11. To patch your own apps, you can either update your gems manually, or create a new app with the new installer and deploy your code to that. I'll update my gems now. Thanks!
(09 Jan '13, 21:35)
ehough
Sean, I'd like to press the point on ehough's first question above. Can a vulnerable Rails app belonging to another user on my server compromise my own (Rails-free) account? or are your filesystem ACLs robust enough that even arbitrary code-execution would be contained within the vulnerable account?
(11 Jan '13, 11:08)
cfm
When we create your account on our servers, the permissions on your home directory are sufficiently secure to prevent other customers from accessing files in your home directory, so unless you've changed that, you don't need to worry about a compromised Rails app getting into your account. The only thing that might affect you would be that if a compromised app was used to run some resource-intensive process. In that case, the performance of your server might be affected, or worst case, it would become completely non-responsive and would need to be rebooted. We have monitors in place for this sort of thing, and our CentOS6 servers have cgroups to prevent a single user from clobbering the CPU and IO, so its unlikely that you'd see much of a problem if it did happen.
(11 Jan '13, 11:26)
seanf
That's all the reassurance I was looking for. Thanks, Sean.
(11 Jan '13, 16:07)
cfm
|