| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by scotje 4879 days ago
	I just tried this on one of my side project sites and it's reporting it as being vulnerable. However I upgraded the site to Rails 3.2.1 last week (and just confirmed that's the version in the bundle). Is there something that would cause a false positive or is my app really still vulnerable?

3 comments

borski 4879 days ago

There is the potential for false positives, but I'd be happy to chat about it - feel free to get in touch either via email at support@tinfoilsecurity.com or in our support chat: http://www.tinfoilsecurity.com/chat

ITYM 3.2.11? 3.2.1 is definitely vulnerable... We had a typo in ours that said 3.2.1 was safe - so sorry about that! Fixing that now. You should upgrade to 3.2.11.

link

bensedat 4879 days ago

We also are seeing a small group of apps with vulnerable applications even after upgrading to Rails 3.2.11, possibly due to a rogue middleware or other library. Disabling XML parsing entirely is one approach (see http://news.ycombinator.com/item?id=5035389) but we'd love to track it down further for everyone's good. Feel free to join us at https://www.tinfoilsecurity.com/chat if you'd like.

link

scotje 4879 days ago

Aha, well apparently I never merged that commit into my deploy branch, so it was still actually on 3.2.1. That combined with the fact that your page had said 3.2.1 was safe caused my brain to short circuit and not realize that 3.2.11 is what it needed to be on. :) I'll redeploy and check it again, thanks guys!

link

borski 4879 days ago

Yeah, that was totally our bad. I'm deploying the typo fix now.

Let me know if you have any other issues! Happy to help.

link

scotje 4879 days ago

See, in a very circular way I was just reporting the typo. :)

(Looks good now that I have the right release deployed, by the way.)

link

borski 4879 days ago

Ha, fair point. :)

Glad you got it fixed!