21 Apr '12, 1am

Mechanize 2.4 — HTTP Authentication security fix:

Mechanize#auth and Mechanize#basic_auth allowed disclosure of passwords to malicious servers and have been deprecated. In prior versions of mechanize only one set of HTTP authentication credentials were allowed for all connections. If a mechanize instance connected to more than one server then a malicious server detecting mechanize could ask for HTTP Basic authentication. This would expose the username and password intended only for one server. Mechanize#auth and Mechanize#basic_auth now warn when used. To fix the warning switch to Mechanize#add_auth which requires the URI the credentials are intended for, the username and the password. Optionally an HTTP authentication realm or NTLM domain may be provided.

Full article: http://blog.segment7.net/2012/04/20/mechanize-2-4-securit...

Tweets

Ruby 1.9.2-p320 is released This release also i...

ruby-lang.org 21 Apr '12, 11pm

This release include Security Fix for RubyGems: SSL server verification failure for remote repository. And many bugs are f...

Is the Security Offences Bill constitutional? -...

blog.limkitsiang.com 21 Apr '12, 7am

The first observation to make is that the “security offences” under the Security Offences Bill already exist as offences u...

Leed is Broken

igreenbuild.com 21 Apr '12, 1pm

"If the label or imprimatur is LEED's value, it makes sense for the USGBC to nit pick applications, since each new certifi...