« Two MRI security vulnerabilities in Ruby 1.8 and 1.9 | Main | Vulnerability in the Mail gem affecting Rails 3.0.x applications »
Wednesday
Feb092011

Several vulnerabilities in Rails 2 & 3

Two new Ruby on Rails versions have been released yesterday because of 4 security vulnerabilities in Rails.

Potential XSS Problem with mail_to :encode => :javascript
Versions Affected:  All.
Not affected:       Applications which don't use :encode => :javascript
Fixed Versions:     3.0.4, 2.3.11

CSRF Protection Bypass in Ruby on Rails
Versions Affected:  2.1.0 and above
Not affected:       Applications which don't use the built in CSRF protection.
Fixed Versions:     3.0.4, 2.3.11
Do read the instructions carefully because it will affect your session and may require additional steps other than just updating. More here and in the Rails Security Guide.

Potential SQL Injection in Rails 3.0.x
Versions Affected:  3.0.0-3.0.3
Not affected:       Releases before 3.0.0
Fixed Versions:     3.0.4
Unfortunately this has been fixed in earlier versions already.

Versions Affected:  3.0.0-3.0.3
Not affected:       2.3.x versions and all earlier versions. Applications deployed on case-sensitive filesystems.
Fixed Versions:     3.0.4

PrintView Printer Friendly Version

EmailEmail Article to Friend