Emergency Ruby on Rails Upgrade Information

A recent security issue affecting the Rails component of the Ruby-on-Rails open source web application framework has prompted the immediate upgrade of the Rails stack on all our shared and reseller servers. This upgrade addresses the existing security issue, linked below, as well as upgrades associated components gems and passenger to the latest versions which are also noted below.

Unfortunately, this upgrade has the potential to negatively impact the usage of your existing Rails applications if they are not compatible with the latest versions. Although we make every effort to always retain compatibility during any kind of upgrade, in this case, security is an overriding factor and we are not able to guarantee that all applications will continue to operate under the new versions.

This upgrade will also remove the support for the cPanel Rails Application installer located in your cPanel web interface. This feature, although provided for convenience, has no impact on your ability to install Rails applications over SSH, which is the preferred and recommended method to setup your Rails applications.

We have a knowledge base artcle located here:

Rails Application Setup:
https://help.asmallo…rticle/View/251
that should assist you.

For additional information on the security issue, please see below:

Security Vulnerability Details:
http://weblog.rubyon…-been-released/

Software Upgrade Versions:

ruby 1.9.3-p362
rails 3.2.11
gems 1.8.24
passenger 3.0.19

If we can assist you with this upgrade, please let us know and we’ll be happy to do so.

One Response to Emergency Ruby on Rails Upgrade Information

  1. Alexa G says:
    January 11, 2013 at 5:47 pm.

    This is a pretty scary problem that (thankfully) has a very easy fix. The main thing that Rails users need to do to protect themselves is to edit the file named Gemfile (located in the main directory of their Rails application) and change the line that says:

    gem 'rails', '(some version here)'

    to:

    gem 'rails', '3.2.11'

    Then, in the shell, run the following command to tell your application to use the fixed version of Rails:

    bundle update

    You may also need to restart your application after the update:
    touch tmp/restart.txt

    This should work for most users. If bundle complains about needing permissions for something, you’ll need to send in a ticket to ask a ninja for assistance in running the command. I hope that helps some users who may be a bit lost. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>