Ruby on Rails 1.2.6: Security and Maintenance Release

Posted by michael November 24, 2007 @ 10:18 PM

The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077.

You should upgrade to this new release if you do not take specific session-fixation counter measures in your application. 1.2.6 also fixes some regressions when working with has_many associations on unsaved ActiveRecord objects.

As with other 1.2.x releases, this is intended as a drop in upgrade for users of earlier versions in the 1.2 series.

To upgrade, `gem install rails`, set RAILS_GEM_VERSION to ‘1.2.6’ in config/environment.rb, and `rake rails:update:configs`.

23 comments

Comments

Leave a response

  1. Rafael Schär on 25 Nov 00:24:

    Hi everybody,

    thnx for this release. What I noticed, that the update over “gem” fails with following errors, either Linux or MacOSX

    $ sudo gem install rails Bulk updating Gem source index for: http://gems.rubyforge.org ERROR: While executing gem … (Gem::RemoteFetcher::FetchError) OpenURI::HTTPError: 404 Not Found reading http://gems.rubyforge.org/gems/activerecord-1.15.6.gem

    greetinx

  2. Nathaniel Bibler on 25 Nov 00:50:

    The OpenURI::HTTPError just means that the specific server you’re requesting the update from has not yet received the new code. Once it has fully propagated, it will become available.

  3. Xi Ping Wang on 25 Nov 09:52:

    Can’t update to 1.2.6. Please fix it.

  4. nazgum on 25 Nov 10:13:

    worked fine for me..

  5. Peter Franklin on 25 Nov 11:29:

    peter@orbb:~$ sudo gem install rails

    Install required dependency actionwebservice? [Yn] ERROR: While executing gem … (OpenURI::HTTPError) 404 Not Found

  6. Joe on 25 Nov 16:28:

    I got the same error. Then I ran the command again, and it worked fine.

    I’d assume that gems.rubyforge.org is just getting hit hard right now from everyone updating. If that’s the case, that’s a good sign! More people using Rails == a better Web tomorrow.

  7. Caleb Jones on 25 Nov 17:25:

    $ sudo gem update rails Upgrading installed gems… Updating Gem source index for: http://gems.rubyforge.org Attempting remote upgrade of rails Attempting remote installation of ‘rails’ Install required dependency activerecord? [Yn] Y ERROR: While executing gem … (OpenURI::HTTPError) 404 Not Found

  8. teoric on 25 Nov 19:35:

    It seems to help to restart the update, every other time I do not get the 404 error…

  9. Koz on 26 Nov 00:55:

    If you’re having the 404 errors with gem install, there’s not much you can do other than wait a few hours and try again.

    Unfortunately this is an issue with the server software used for the gem mirroring system. The rubyforge guys are aware of it and will hopefully resolve it some time soon.

  10. Tim on 27 Nov 21:58:

    When is Ruby 1.9 planned to be released?

  11. Ryan on 28 Nov 03:14:

    @Tim:

    Before the end of the year, according to ruby-lang.org and ruby-inside.com

  12. Ryan on 28 Nov 04:47:

    I noticed that validates_uniqueness_of doesn’t appear to be working (i.e. incorrectly returning something is valid when it obviously is not), within the scope of another field.

  13. citygrit@gmail.com on 28 Nov 05:50:

    why not upgrade freebsd ports,is now “rubygem-rails-1.2.3” or must use `gem install rails`?

  14. face on 28 Nov 06:02:

    Does 2.0 RC1 have this problem? If so, is it fixed on edge?

    Thanks!

  15. Sheldon Hearn on 28 Nov 10:36:

    Anyone had any luck with this version of rails and the redhillonrails_core plugin?

    I get “stack level too deep” from “rake db:migrate”. Looks like alias_method_chain isn’t working as expected by the plugin?

  16. Steve Koppelman on 28 Nov 17:11:

    You may want to update the homepage, which still says 1.2.5 is the current stable version.

  17. roger on 03 Dec 11:19:

    Trying to freeze 1.2.6 I get the following message:

    svn: URL ‘http://dev.rubyonrails.org/svn/rails/tags/rel_1-2-6/activeresource’ doesn’t exist

    And when comparing the content of vendor with that of 1.2.5 the directory actionwebservice is missing

  18. Anthony on 03 Dec 19:08:

    So a week has gone by since the first post. I am having the 404 problems too. Can problems with my network be the cause? any other way to upgrade?

  19. Frank on 03 Dec 22:36:

    I had 404s several times. I eventually worked. Just keep trying.

  20. Torsten on 04 Dec 19:17:

    404’s here too. http://doc.rubygems.org also not available

    poor…

  21. Dan on 07 Dec 20:45:

    To fix the:

    ‘http://dev.rubyonrails.org/svn/rails/tags/rel_1-2-6/activeresource’ doesn’t exist

    error, edit the framework.rake file.

    This file can be found in the directory where gems are stored; on my system it is in:

    /usr/local/lib/ruby/gems/1.8/gems/rails-1.2.5/lib/tasks/framework.rake

    This worked for me. Also, I had to add a line like this to the same file (right after the require rubygems line):

    require 'rubygems/gem_runner'

    Hope this helps. I also posted this on the rails talk list…

    Dan

  22. Dan on 07 Dec 20:47:

    I forgot to say what to do in reference to freezing 1.2.6:

    In framework.rake, remove the activeresource element on the line that says:

    for framework in %w(... activeresource)

    Dan

  23. Albert on 09 Dec 03:50:

    I found a solution to the “OpenURI” error problem (Ubuntu): Download this gem, ”/home/albert/Desktop/actionpack-2.0.1.gem” and save it under your home directory then run in terminal, “sudo gem install rails”

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals