Rails security vulnerability 26 Aug 08

If you’ve been following the Rails security list you’ll know that there has been a serious flaw uncovered in the REXML library that allows an easy Denial of Service attack on the vast majority of Rails applications.

The Ruby details are here: http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ and the instructions for applying the monkey patch fix for Rails is on the security google group: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9fb60a1e22a88d30/330bcb96de877996#330bcb96de877996

Just to reiterate - this fault will affect the majority of Rails applications across all versions of Rails, whether you think you are processing XML or not, and we would urge all our customers (and all Rails users for that matter) to patch their applications until there is an upgrade to the Ruby libraries correcting the error.