Loading ...
Sorry, an error occurred while loading the content.
 

Re: [id-ruby] Please upgrade your rails apps

Expand Messages
  • Fiqi Fitransyah
    menunggu 3.2.12 deh,,, FYI : https://github.com/rails/rails/issues/8832 ________________________________ From: Nugroho Herucahyono To:
    Message 1 of 10 , Jan 10, 2013
      menunggu 3.2.12 deh,,,

      FYI : https://github.com/rails/rails/issues/8832


      ________________________________
      From: Nugroho Herucahyono <me@...>
      To: id-ruby@yahoogroups.com
      Sent: Thursday, 10 January 2013 12:55 PM
      Subject: Re: [id-ruby] Please upgrade your rails apps


       
      oh well....

      lethal dan sangat mudah di exploit :(

      please please... upgrade segera...

      2013/1/10 Achmad Gozali hello@...>

      > gile bener exploit-nya udah keluar
      >
      > https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
      >
      > brace yourself, script kiddies dengan metasploit mulai menyerang :)
      >
      > ayo segera upgrade / patch
      >
      > 2013/1/9 Achmad Gozali hello@...>
      >
      > > sepertinya sangat serius & bikin sibuk para core committer di tahun baru
      > :D
      > > ada yang sudah nyoba metasploit-nya di rails apps sendiri di localhost?
      > > https://community.rapid7.com/docs/DOC-2142
      > >
      > > 2013/1/9 Nugroho Herucahyono me@...>
      > >
      > >> **
      > >>
      > >>
      > >> Itu yang sql injection vulnerability, di fix di rails 3.2.10
      > >>
      > >> Sedang parameter parsing vulnerability ini jauh lebih berbahaya dan
      > mudah
      > >> di exploit.
      > >> Baru di fix di 3.2.11
      > >>
      > >>
      > >> On Wed, Jan 9, 2013 at 12:58 PM, Yacobus Reinhart <
      > >> yacobus.reinhart@...> wrote:
      > >>
      > >> > klo gak salah si Hongli pernah jelasin tentang ini di awal tahun 2013,
      > >> ini
      > >> > dia articlenya:
      > >> >
      > >> >
      > >> >
      > >>
      > http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
      > >> >
      > >> >
      > >> > 2013/1/9 Joni Farizal arenaling@...>
      > >> >
      > >> > > **
      > >> > >
      > >> > >
      > >> > > barusan berapa jam lalu update ke 3.2.10.. okeh update ke 3.2.11
      > lagi
      > >> > > :hammer:
      > >> > >
      > >> > > On Wed, Jan 9, 2013 at 11:15 AM, Nugroho Herucahyono me@...>
      > >> > wrote:
      > >> > >
      > >> > > > **
      > >> > >
      > >> > > >
      > >> > > >
      > >> > > > Ada beberapa vulnerability yang affect hampir semua versi rails:
      > >> > > >
      > >> > > > https://groups.google.com/forum/#
      > >> > > > !topic/rubyonrails-security/61bkgvnSGTQ/discussion
      > >> > > > Versions Affected: ALL versions
      > >> > > > Not affected: NONE
      > >> > > > Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15
      > >> > > >
      > >> > > > https://groups.google.com/forum/?fromgroups=#
      > >> > > > !topic/rubyonrails-security/t1WFuuQyavI
      > >> > > > Versions Affected: 3.x series
      > >> > > > Not affected: 2.x series
      > >> > > > Fixed Versions: 3.2.11, 3.1.10, 3.0.19
      > >> > > >
      > >> > > > [Non-text portions of this message have been removed]
      > >> > > >
      > >> > > >
      > >> > > >
      > >> > >
      > >> > > --
      > >> > > regards,
      > >> > > Joni Farizal
      > >> > > PT. Nusantara Baskara Jaya (Nusaraya)
      > >> > >
      > >> > >
      > >> > > [Non-text portions of this message have been removed]
      > >> > >
      > >> > >
      > >> > >
      > >> >
      > >> >
      > >> >
      > >> > --
      > >> > *"To accomplish great things, we must not only act, but also dream;
      > not
      > >> > only plan, but also believe."* *~ Anatole France*
      > >> >
      > >> >
      > >> > [Non-text portions of this message have been removed]
      > >> >
      > >> >
      > >> >
      > >> > ------------------------------------
      > >> >
      > >> > ID-Ruby
      > >> > Berdiskusi dan belajar bersama Bahasa Pemrograman Ruby, termasuk
      > segala
      > >> > varian Ruby (JRuby, Rubinius, IronRuby, XRuby), dan program yang
      > dibuat
      > >> > dengan Ruby (Ruby on Rails, JRuby on Rails, Merb)
      > >> >
      > >> > http://rubyurl.com/Q8DD
      > >> > http://news.gmane.org/gmane.comp.lang.ruby.region.indonesia
      > >>
      > >> >
      > >> >
      > >> >
      > >> >
      > >> >
      > >>
      > >> [Non-text portions of this message have been removed]
      > >>
      > >>
      > >>
      > >
      > >
      >
      >
      > [Non-text portions of this message have been removed]
      >
      >
      >
      > ------------------------------------
      >
      > ID-Ruby
      > Berdiskusi dan belajar bersama Bahasa Pemrograman Ruby, termasuk segala
      > varian Ruby (JRuby, Rubinius, IronRuby, XRuby), dan program yang dibuat
      > dengan Ruby (Ruby on Rails, JRuby on Rails, Merb)
      >
      > http://rubyurl.com/Q8DD
      > http://news.gmane.org/gmane.comp.lang.ruby.region.indonesia
      >
      >
      >
      >
      >

      [Non-text portions of this message have been removed]




      [Non-text portions of this message have been removed]
    • Nugroho Herucahyono
      Karena bug ini sifatnya critical, saya sarankan, buat yang belum mau upgrade untuk sementara disable xml parametersnya: di rails 3:
      Message 2 of 10 , Jan 10, 2013
        Karena bug ini sifatnya critical, saya sarankan, buat yang belum mau
        upgrade untuk sementara disable xml parametersnya:

        di rails 3:
        ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)

        di rails 2:
        ActionController::Base.param_parsers.delete(Mime::XML)

        Jangan dibiarkan saja, karena mudah sekali memanfaatkan vulnerability ini.


        On Thu, Jan 10, 2013 at 3:57 PM, Fiqi Fitransyah <i01107@...> wrote:

        > **
        >
        >
        > menunggu 3.2.12 deh,,,
        >
        > FYI : https://github.com/rails/rails/issues/8832
        >
        > ________________________________
        > From: Nugroho Herucahyono me@...>
        > To: id-ruby@yahoogroups.com
        > Sent: Thursday, 10 January 2013 12:55 PM
        > Subject: Re: [id-ruby] Please upgrade your rails apps
        >
        >
        >
        >
        > oh well....
        >
        > lethal dan sangat mudah di exploit :(
        >
        > please please... upgrade segera...
        >
        > 2013/1/10 Achmad Gozali hello@...>
        >
        > > gile bener exploit-nya udah keluar
        > >
        > >
        > https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
        > >
        > > brace yourself, script kiddies dengan metasploit mulai menyerang :)
        > >
        > > ayo segera upgrade / patch
        > >
        > > 2013/1/9 Achmad Gozali hello@...>
        > >
        > > > sepertinya sangat serius & bikin sibuk para core committer di tahun
        > baru
        > > :D
        > > > ada yang sudah nyoba metasploit-nya di rails apps sendiri di localhost?
        > > > https://community.rapid7.com/docs/DOC-2142
        > > >
        > > > 2013/1/9 Nugroho Herucahyono me@...>
        > > >
        > > >> **
        > > >>
        > > >>
        > > >> Itu yang sql injection vulnerability, di fix di rails 3.2.10
        > > >>
        > > >> Sedang parameter parsing vulnerability ini jauh lebih berbahaya dan
        > > mudah
        > > >> di exploit.
        > > >> Baru di fix di 3.2.11
        > > >>
        > > >>
        > > >> On Wed, Jan 9, 2013 at 12:58 PM, Yacobus Reinhart <
        > > >> yacobus.reinhart@...> wrote:
        > > >>
        > > >> > klo gak salah si Hongli pernah jelasin tentang ini di awal tahun
        > 2013,
        > > >> ini
        > > >> > dia articlenya:
        > > >> >
        > > >> >
        > > >> >
        > > >>
        > >
        > http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
        > > >> >
        > > >> >
        > > >> > 2013/1/9 Joni Farizal arenaling@...>
        > > >> >
        > > >> > > **
        > > >> > >
        > > >> > >
        > > >> > > barusan berapa jam lalu update ke 3.2.10.. okeh update ke 3.2.11
        > > lagi
        > > >> > > :hammer:
        > > >> > >
        > > >> > > On Wed, Jan 9, 2013 at 11:15 AM, Nugroho Herucahyono me@...
        > >
        > > >> > wrote:
        > > >> > >
        > > >> > > > **
        > > >> > >
        > > >> > > >
        > > >> > > >
        > > >> > > > Ada beberapa vulnerability yang affect hampir semua versi rails:
        > > >> > > >
        > > >> > > > https://groups.google.com/forum/#
        > > >> > > > !topic/rubyonrails-security/61bkgvnSGTQ/discussion
        > > >> > > > Versions Affected: ALL versions
        > > >> > > > Not affected: NONE
        > > >> > > > Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15
        > > >> > > >
        > > >> > > > https://groups.google.com/forum/?fromgroups=#
        > > >> > > > !topic/rubyonrails-security/t1WFuuQyavI
        > > >> > > > Versions Affected: 3.x series
        > > >> > > > Not affected: 2.x series
        > > >> > > > Fixed Versions: 3.2.11, 3.1.10, 3.0.19
        > > >> > > >
        > > >> > > > [Non-text portions of this message have been removed]
        > > >> > > >
        > > >> > > >
        > > >> > > >
        > > >> > >
        > > >> > > --
        > > >> > > regards,
        > > >> > > Joni Farizal
        > > >> > > PT. Nusantara Baskara Jaya (Nusaraya)
        > > >> > >
        > > >> > >
        > > >> > > [Non-text portions of this message have been removed]
        > > >> > >
        > > >> > >
        > > >> > >
        > > >> >
        > > >> >
        > > >> >
        > > >> > --
        > > >> > *"To accomplish great things, we must not only act, but also dream;
        > > not
        > > >> > only plan, but also believe."* *~ Anatole France*
        > > >> >
        > > >> >
        > > >> > [Non-text portions of this message have been removed]
        > > >> >
        > > >> >
        > > >> >
        > > >> > ------------------------------------
        > > >> >
        > > >> > ID-Ruby
        > > >> > Berdiskusi dan belajar bersama Bahasa Pemrograman Ruby, termasuk
        > > segala
        > > >> > varian Ruby (JRuby, Rubinius, IronRuby, XRuby), dan program yang
        > > dibuat
        > > >> > dengan Ruby (Ruby on Rails, JRuby on Rails, Merb)
        > > >> >
        > > >> > http://rubyurl.com/Q8DD
        > > >> > http://news.gmane.org/gmane.comp.lang.ruby.region.indonesia
        > > >>
        > > >> >
        > > >> >
        > > >> >
        > > >> >
        > > >> >
        > > >>
        > > >> [Non-text portions of this message have been removed]
        > > >>
        > > >>
        > > >>
        > > >
        > > >
        > >
        > >
        > > [Non-text portions of this message have been removed]
        > >
        > >
        > >
        > > ------------------------------------
        > >
        > > ID-Ruby
        > > Berdiskusi dan belajar bersama Bahasa Pemrograman Ruby, termasuk segala
        > > varian Ruby (JRuby, Rubinius, IronRuby, XRuby), dan program yang dibuat
        > > dengan Ruby (Ruby on Rails, JRuby on Rails, Merb)
        > >
        > > http://rubyurl.com/Q8DD
        > > http://news.gmane.org/gmane.comp.lang.ruby.region.indonesia
        > >
        > >
        > >
        > >
        > >
        >
        > [Non-text portions of this message have been removed]
        >
        > [Non-text portions of this message have been removed]
        >
        >
        >


        [Non-text portions of this message have been removed]
      Your message has been successfully submitted and would be delivered to recipients shortly.