On Mon, Jan 28, 2013 at 3:13 PM, Aaron Patterson
<tenderlove / ruby-lang.org>wrote:

> Hi everybody.
>
> I'd like to announce that 3.0.20, and 2.3.15 have been released.  These
> releases contain one **extremely critical security fix** so please update
> **IMMEDIATELY**.
>
> You can read about the security fix by following this link:
>
> * [CVE-2013-0333](
> https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
> )


First, I'd like to thank you Aaron for your hard work in handling security
in rails.
I can't help but feel that rails is being smacked by
major vulnerability after vulnerability.
Would it at all be helpful to get a kick starter or some fundraiser started
to get a formal audit underway (Where's the NSA when you need them)  ?

I wonder how much of these vulnerabilities stem from the fact that we (in
rails) use turing-complete protocols/languages for everything, thus
exposing weird machines.
The Science of Insecurity (2008 CCC) It's an hour long, but well worth it-
http://www.youtube.com/watch?v=v8F8BqSa-XY

While I am glad to see these issues fixed, I can't help but wonder how many
more vulnerabilities we still don't know about.
Again, I really do appreciate the attention to detail that Aaron and the
rest of the rails team give to rails.

Respectfully,
Andrew McElroy