After the fantastic post by patio11, I spent all afternoon emailing every person in my network. Letting them know of the huge security risk. The answer I got from most people? "We have backups, and plan to deal with it soon. Thanks for the heads up." Really? This is the kind of stuff that made me delete every simple rails project I had on my workstations, and just push them to git. No sense in risking it.
Oh, and best of all was the response from my webhost (which is well known here):
We've added updated Rails installers to our control panel so that new Rails
apps will be created with the latest secure versions. However, it's our
customers' own responsibility to upgrade their existing Rails apps.
Note that customer Rails apps run as unprivileged users, with resources managed
by the kernel cgroups feature, so its very unlikely that you'd see any issues
on your own sites if another customer's app was compromised.
Hmm, very unlikely but still possible. Not something I want to hear from the people who Im trusting with my projects. I'm canceling my account tomorrow and moving away from them.
I know they are not responsible for their client stuff, but this is a real threat to their servers.
>Its very unlikely that you'd see any issues on your own sites if another customer's app was compromised.
>Hmm, very unlikely but still possible.
I think this is a fair statement as far as I can tell: If it were possible for a compromised customer's app to affect your app, then you're not safe anyway without this exploit: a malicious customer could affect you too just as easily.
Oh, and best of all was the response from my webhost (which is well known here):
We've added updated Rails installers to our control panel so that new Rails apps will be created with the latest secure versions. However, it's our customers' own responsibility to upgrade their existing Rails apps.
Note that customer Rails apps run as unprivileged users, with resources managed by the kernel cgroups feature, so its very unlikely that you'd see any issues on your own sites if another customer's app was compromised.
Hmm, very unlikely but still possible. Not something I want to hear from the people who Im trusting with my projects. I'm canceling my account tomorrow and moving away from them. I know they are not responsible for their client stuff, but this is a real threat to their servers.