Posts

Ruby on Rails vulnerability pre 3.2.16 and 4.0.2

Rails 3.2.16 and 4.0.2 have been released!

These two releases contain important security fixes, so please upgrade as soon as possible! In order to make upgrading as smooth as possible, we’ve only included commits directly related to each security issue.

More information: Rails 3.2.16 and 4.0.2 have been released!

Ruby on Rails patched to 3.2.13, 3.1.12, and 2.3.1

There are new versions of ruby on rails released, and the version you are running should be updated as soon as possible to avoid malicious users exploiting one or more of known vulnerabilities that are fixed in these releases.

Information from the Rails team:

Hi everyone!

Rails versions 3.2.13, 3.1.12, and 2.3.18 have been released. These releases contain important security fixes. It is recommended users upgrade as soon as possible.

Please check out these links for the security fixes:

CVE-2013-1854 Symbol DoS vulnerability in Active Record
CVE-2013-1855 XSS vulnerability in sanitize_css in Action Pack
CVE-2013-1856 XML Parsing Vulnerability affecting JRuby users
CVE-2013-1857 XSS Vulnerability in the sanitize helper of Ruby on Rails

Source: http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/