8 comments

[ 4.1 ms ] story [ 33.2 ms ] thread
Thanks

Is there a site I can sign up for package update notifications for a bunch of projects?

I don't want info on all CVEs or all system packages but just a list of packages I'm interested in (and more than just ubuntu/Debian packages).

I seem to remember one site on HN but my google-fu is weak tonight...

Please, if anyone's reading this, do not release a proof-of-concept until everyone has a chance to patch. (I sense there are a lot of already busy Rails developers today).

By the way, what do freelancers on HN feel about general responsibility for security maintenance after the work has been done?

I have never done any Ruby / Rails development, but this exploit doesn't look like it requires any proof-of-concept.

My understanding is that as long as there is a JSON endpoint accepting parameters, and the parameters are used for query generation without going through a proper validation layer [1], then the app is vulnerable.

[1] In python, this would be things like FormEncode, WTForms, Colander, etc.