09 Jan '13, 10am

Ruby on Rails 3.2.11 released to address 2 "extremely critical" vulnerabilities

Less than one week has passed since Ruby on Rails 3.2.10 was released to address an SQL Injection vulnerability. However, yesterday, the developers were forced to issue another update because of two “extremely critical” security holes. One of the vulnerabilities exists when Active Record is used in conjunction with JSON parameter parsing. An attacker can leverage the flaw to issue unexpected database queries. The security bug does not allow the attacker to insert arbitrary values into an SQL query, but he can “cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it.” The second issue is represented by multiple vulnerabilities in parameter parsing in Action Pack. The weaknesses can be exploited to bypass authentication systems, inject arbitrary code, and even perform DOS attacks on Rails applications. Considering the critical nature ...

Full article: http://news.softpedia.com/news/Ruby-on-Rails-3-2-11-Relea...

Tweets

Ruby on Rails patches more critical vulnerabili...

infoworld.com 09 Jan '13, 12pm

Those using the Ruby on Rails Web application framework on their websites are being advised to update the software immedia...

Ruby on Rails patches more critical vulnerabilities: Those using the Ruby on Rails web application framework on

Ruby on Rails patches more critical vulnerabili...

news.hitb.org 09 Jan '13, 10am

Those using the Ruby on Rails web application framework on their websites are being advised to update the software immedia...

Ruby on Rails releases "extremely critical" fixes

scmagazine.com 09 Jan '13, 5pm

The maintainers of the Ruby on Rails have pushed out the second update in a week to fix critical holes in the web applicat...

Anyone using Rails in production should upgrade...

ruby-forum.com 08 Jan '13, 8pm

Hi everybody. I'd like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two ...

Ruby on Rails pushing out 'extremely critical' fixes: Workaround available.

Ruby on Rails pushing out 'extremely critical' ...

scmagazine.com.au 09 Jan '13, 2am

The maintainers of Ruby on Rails have pushed out the second update in a week to fix a critical hole in the framework which...

Unsafe Query Generation Risk in Ruby on Rails (...

groups.google.com 08 Jan '13, 8pm

Dieser Browser wird nicht unterstützt.

Critical vulnerability in Ruby on Rails paramet...

h-online.com 09 Jan '13, 11am

The developers of Ruby on Rails are calling on users to update their Rails installations as soon as possible, following th...

Rails

weblog.rubyonrails.org 08 Jan '13, 8pm

I'd like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two extremely crit...

Any Ruby on Rails app is, badly, utterly, pwned...

groups.google.com 09 Jan '13, 3am

Dieser Browser wird nicht unterstützt.

Extremely critical Ruby on Rails bug threatens ...

reddit.com 09 Jan '13, 2am

No, what you need is a descriptive language that gives designers what they want and then hook everything up by calling som...

Read @adamjodonnell's insights on the latest Ru...

blog.sourcefire.com 09 Jan '13, 8pm

A little under 24 hours ago two major, long-standing vulnerabilities were announced in the popular web programming framewo...

Critical vulnerability in Ruby on Rails paramet...

h-online.com 09 Jan '13, 11am

The developers of Ruby on Rails are calling on users to update their Rails installations as soon as possible, following th...

Ruby on Rails Releases 'Extremely Critical' Sec...

securityweek.com 09 Jan '13, 6pm

The latest versions, 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been updated with "two extremely critical security fixes" and...

Rails vulnerabilities are not Rails'

revision-zero.org 12 Jan '13, 6pm

Would it make sense for Rails controllers to accept YAML-encoded parameters? Of course it does. URL-encoded, XML, and JSON...

Extremely critical Ruby on Rails bug threatens ...

linuxtoday.com 09 Jan '13, 8pm

Extremely critical Ruby on Rails bug threatens more than 200,000 sites Jan 09, 2013, 11:00 (0 Talkback[s] ) Tweet Hundreds...