On Mon, Jan 28, 2013 at 3:13 PM, Aaron Patterson <tenderlove / ruby-lang.org>wrote: > Hi everybody. > > I'd like to announce that 3.0.20, and 2.3.15 have been released. These > releases contain one **extremely critical security fix** so please update > **IMMEDIATELY**. > > You can read about the security fix by following this link: > > * [CVE-2013-0333]( > https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo > ) First, I'd like to thank you Aaron for your hard work in handling security in rails. I can't help but feel that rails is being smacked by major vulnerability after vulnerability. Would it at all be helpful to get a kick starter or some fundraiser started to get a formal audit underway (Where's the NSA when you need them) ? I wonder how much of these vulnerabilities stem from the fact that we (in rails) use turing-complete protocols/languages for everything, thus exposing weird machines. The Science of Insecurity (2008 CCC) It's an hour long, but well worth it- http://www.youtube.com/watch?v=v8F8BqSa-XY While I am glad to see these issues fixed, I can't help but wonder how many more vulnerabilities we still don't know about. Again, I really do appreciate the attention to detail that Aaron and the rest of the rails team give to rails. Respectfully, Andrew McElroy