« XSS Weakness in strip_tags and some notes on parsing HTML/XML | Main | DoS vulnerability in BigDecimal »
Friday
Sep042009

Two vulnerabilities fixed in Rails 2.3.4

DateFriday, September 4, 2009 at 1:11PM

Rails version 2.3.4 has been released to fix two vulnerabilities.

  • A timing weakness in the ClientCookieStore. Rails version 2.1.0 and all subsequent versions are affected. Detailed information can be found here.
  • And a XSS vulnerability in the way Rails handles Unicode. This affects all versions in the Rails 2 branch, but not applications running with Ruby 1.9.

Upgrade to version 2.3.4 now, or apply a patch (available on the pages linked above).

AuthorHeiko | CommentPost a Comment |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.