New Releases: 2.3.11 and 3.0.4
Posted by michael February 08, 2011 @ 10:39 PM
Two new versions of Ruby On Rails have been released today. As well as including a number of bugfixes they contain fixes for some security issues. The full details of each of the vulnerabilities are available on the rubyonrails-security mailing list. We strongly urge you to update production Rails applications as soon as possible. Rather than post the advisories individually to this blog, I’ll just link to the google talk archives.
Install the latest version using gem install rails. Or if you’re using bundler, edit your gemfile and run bundle update rails.
Summaries
Affecting 2.x.x and 3.0.x
- XSS Risk in mail_to :encode=>:javascript CVE-2011-0446
- CSRF Bypass Risk CVE-2011-0447
Affecting 3.0.x only
- Filter Problems on Case Insensitive Filesystems CVE-2011-0449
- Potential SQL Injection with limit() CVE-2011-0448