If you use Ruby on Rails, you NEED to read this immediately:

Metasploit Rails 3 Remote Code Execution Hours Away

If you use Ruby on Rails, you NEED to read this immediately:

(Bah, great point about passwords. I need to reform my ways.)To amplify and expand on Thomas here: when this was announced I pushed the Big Red Button and pushed three emergency patches to my servers at 3 to 5 AM Japan time. My perception was "This just can't wait." I went to sleep with the vague feeling that I had probably broken something (there's always something that slips when you're tired and hasty) but that it was almost certainly acceptable given the alternative. Sure enough: despite automated and smoke tests passing and metrics remaining nominal, Appointment Reminder suffered breaking downtime for some customers (it depended on browser - long story not relevant). This ended up locking them out for about 16 hours, felicitously mostly not during the US working day. After being told of the issue by a few mighty pissed end users, I fixed it and spent a second awake-to...

Full article: http://news.ycombinator.com/item?id=5035023

Tweets

@ruairi » 10 Jan '13, 8pm
Patch ALL systems. Not just "live" ones. “@MMOMeltingPot: If you use Ruby on Rails, you NEED to read this immediately: [link]”
» 10 Jan '13, 6pm
Paging @stray RT @MMOMeltingPot If you use Ruby on Rails, you NEED to read this immediately: [link]
@WoWMiri » 10 Jan '13, 6pm
RT @MMOMeltingPot: If you use Ruby on Rails, you NEED to read this immediately: [link]
@MMOMeltingPot » 10 Jan '13, 6pm
If you use Ruby on Rails, you NEED to read this immediately: [link]
@p9k » 10 Jan '13, 5pm
Productive discussion on HN about critical rails vulnerability and its consequences: [link] Rails fix: [link]
@dewarim » 10 Jan '13, 1pm
[link] Iiiiih - Remote Code Execution in Ruby on Rails.
@tomgillett » 10 Jan '13, 12pm
Today is the BIG RED BUTTON day for Ruby on Rails... [link]
@ThE_ED » 10 Jan '13, 11am
on Ruby on Rails vulnerability & Metasploit exploit [link] (cc @stonehead)
@alphadevx » 10 Jan '13, 9am
"Metasploit Rails 3 Remote Code Execution Hours Away", better get patching if you're running Ruby on Rails: [link] #security
@tclancy » 10 Jan '13, 6am
RT @HighSNHN: Metasploit Rails 3 Remote Code Execution Hours Away: [link] ( [link] )
@gdeglin » 10 Jan '13, 3am
Every single Ruby on Rails application that has not installed a patch that was released yesterday is now... [link]
@HNTweets » 10 Jan '13, 3am
Metasploit Rails 3 Remote Code Execution Hours Away: https://t.co/LweKDSSn Comments: [link]
@HighSNHN » 10 Jan '13, 6am
Metasploit Rails 3 Remote Code Execution Hours Away: [link] ( [link] )