|
|
|
|
|
|
by knowtheory
4822 days ago
|
|
|
Specifically that the security releases included changes to the way that ActiveRecord works (which were unrelated to the security issues). As a consequence, their search queries were scoped differently than what they had intended. So their choice was roll back the security release, or modify their app to accommodate ActiveRecord's altered behavior. |
|
|
There were ALSO unrelated changes (quite many) in the patch release that included the latest security fixes. Which is a mess.
But, the _particular_ problem here, the OP suggests it was the same problem as github reported [here](https://github.com/blog/1440-today-s-email-incident), where they suggest they isolated the introduction of the regression to [this commit](https://github.com/rails/rails/commit/f980289fd2c1b9073a94b5...), which in fact has a commit message as the fix to CVE-2013-1854.
So, yes, a security fix unintentionally introduced a regression with _other_ security implications. Yeah, this is kind of ironic, and yeah, it means it's not so simple to say what could have been done to avoid it. (In this case, I'm surprised there wasn't an automated test already that caught the particular regression. It seems like something that should have been tested. But I haven't looked at the test source to see if it was an odd edge case or what have you.)
(But it's STILL bad practice to release security patches only in releases bundled with a bunch of other changes).