Aug 20, 2011

Rails 2.3.14, 3.0.10 and 3.1.0-rc6 Released

The Rails developers have pushed out three new releases in tandem to fix the same security vulnerabilities. All three major branches have been covered. The vulnerabilities include:

  • SQL injection vulnerability
  • A way for attackers to render a view without first calling the corresponding action
  • A XSS vulnerability in the strip_tags helper
  • Another XSS vulnerability, this time having to do with the UTF8 parsing code

It's recommended that everyone upgrade, as the SQL injection and XSS vulnerabilities can be particularly damaging.

    No comments:

    Post a Comment