The beginning of 2013 was a really bad time for the Ruby community. In the first few weeks of the year a few separate security issues were found that made everyone run to their SSH consoles to update their Rails apps. Rails itself had to be updated 4 times so far because of this, and even the rubygems.org gem repository has been hacked.
And we aren’t talking about a minor “someone with enough luck and determination can use this for some malicious purpose one day” kind of issue; some of these were the nastiest security holes we’ve seen in years. Check out this article by Patrick McKenzie about what can happen (or rather: will happen) because of these vulnerabilities.
The worst part: it’s probably not the end. The general nature of these bugs – see another article by Aaron Paterson analyzing all the ways in which you can do harm to a Ruby app – means that it’s quite likely that there’s more where that came from.
Now, I don’t know about you, but for me it’s starting to get hard to keep track of all these issues. I know Rails should be updated, but which version was that, 3.2.10 or 3.2.11? Is 2.3.17 OK or was there something newer? And what else was there, json, rack, or was it rake?