[Mongrel] Regarding the 1.1.3 security release

Tom Copeland tom at infoether.com
Sat Dec 29 09:23:20 EST 2007

On Sat, 2007-12-29 at 03:32 -0500, Zed A. Shaw wrote:
> I think others said it, but I'll lay out the conditions for what is the
> most likely upgrade requirement:
> 1) If you use nginx or apache (and maybe other full web servers with a
> proxy module) then you can wait to upgrade, but probably not very
> long.  This is because these servers do their own checking as well, and
> are handling your files.  That means a request for the file will be
> dropped, and blocked.
> 2) If you use a pure TCP/IP based proxy balancer (balance, pen,
> swiftiply?) then you must upgrade as these do no checks on the incoming
> TCP packets.
> 3) If you use mongrel directly to serve content then you must upgrade.
> If you cannot upgrade, see the list earlier for the one line fix.  You
> don't need the comments :-)

Cool, thanks much for the summary and also for the quick fix!



More information about the Mongrel-users mailing list