Yesterday, 8/9/2006, Ruby on Rails 1.1.5 was released, followed quickly by 1.1.6 today, and is considered a mandatory upgrade for anyone running a Rails site on a public facing server.

The vulnerability that 1.1.6 fixes is a routing bug that allowed code to be run which is normally only run for development purposes. For the full gory details head here.

Of course, we have immediately patched all of our client sites that were effected. So have no fear Plexus customers, we're watching out for you!

Some background on why only some of our sites built in Rails needed to be "fixed". Sites created in pre 1.1 days were either expected to have rails installed in the vendor directory or just take whatever the latest gem was that is installed on the server. There are a handful of our sites that currently run by using the latest gem, so we didn't have to do anything to have them use the new 1.1.6 gems, once installed. However, all of our latest projects have a directive in their environment setup file that states which version of the gem they should use. (Incidently, this is the version that the project was created with.) These projects required us to change their environment setup file to point to the latest version.

It's great to the Rails community coming together and keeping Rails safe. The speed of the patching is also a good sign for the framework.