29 Jan '13, 10am

Ruby on Rails 3.0.20 and 2.3.16 Released to Address Extremely Critical Vulnerability #ccureit

Ruby on Rails 3.0.20 and 2.3.16 have been released. Users are advised to update their installations as soon as possible because the new releases address an extremely critical vulnerability. Ruby on Rails 2.3.x and Ruby on Rails 3.0.x are affected by the security hole. The vulnerability, present in the JSON code, can be leveraged by hackers to bypass authentication, inject arbitrary SQL commands, execute arbitrary code, and even perform DOS attack against Rails applications. “The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends. One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML,” reads the

Full article: http://news.softpedia.com/news/Ruby-on-Rails-3-0-20-and-2...

Tweets

[SEC][ANN] Rails 3.0.20, and 2.3.16 have been r...

weblog.rubyonrails.org 28 Jan '13, 9pm

I'd like to announce that 3.0.20, and 2.3.16 have been released. These releases contain one extremely critical security fi...

Vulnerability in JSON Parser in Ruby on Rails 3...

groups.google.com 28 Jan '13, 9pm

Dieser Browser wird nicht unterstützt.

Vulnerability in JSON Parser in Ruby on Rails 3...

groups.google.com 28 Jan '13, 9pm

Dieser Browser wird nicht unterstützt.

Troisième mise à jour de sécurité pour Ruby On ...

developpez.com 30 Jan '13, 2pm

Ruby On Rails, le framework Web libre écrit en Ruby reçoit pour la troisième fois consécutive en l’espace d’un mois seulem...

Ruby on Rails receives the third security patch...

news.techworld.com 30 Jan '13, 9am

Developers of the Ruby on Rails web development framework have released versions 3.0.20 and 2.3.16 of the software in orde...

Some Versions of Ruby on Rails Vulnerable to Ne...

threatpost.com 29 Jan '13, 6pm

A vulnerability exists in Ruby on Rails’ JavaScript Object Notation (JSON) code that could open the Web framework up to a ...

Ruby on Rails receives the third security patch in less than a month

Ruby on Rails receives the third security patch...

pcworld.com 29 Jan '13, 9pm

Developers of the Ruby on Rails Web development framework released versions 3.0.20 and 2.3.16 of the software on Monday in...

Ruby 2.0.0-rc2 is released

ruby-lang.org 08 Feb '13, 2pm

Ruby 2.0.0-rc2 is released. This will be the last release candidate of Ruby 2.0.0. Please give it a try, and report any is...

#toronto Ruby on rails receives the third secur...

news.techworld.com 30 Jan '13, 11am

Developers of the Ruby on Rails web development framework have released versions 3.0.20 and 2.3.16 of the software in orde...

Django: 16 vulnerabilities. DoS, XSS, CSRF. Rai...

cvedetails.com 30 Jan '13, 9pm

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and ...

[remote] - Ruby on Rails JSON Processor YAML De...

exploit-db.com 29 Jan '13, 3pm

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Ple...

Ruby on Rails の JSON のパラメータ解析の脆弱性により任意のコードを実行される脆弱性(CVE-2013-0333)に関する検証レポート -

Ruby on Rails の JSON のパラメータ解析の脆弱性により任意のコードを実行され...

security.intellilink.co.jp 01 Feb '13, 5am

Vulnerability Note VU#628463: Ruby on Rails 3.0 and 2.3 JSON Parser vulnerability http://www.kb.cert.org/vuls/id/628463

Ruby on Rails JSON Processor YAML Deserializati...

packetstormsecurity.com 29 Jan '13, 4pm

This Metasploit module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails a...

Ruby on Rails receives its third security patch...

infoworld.com 29 Jan '13, 7pm

Developers of the Ruby on Rails Web development framework released versions 3.0.20 and 2.3.16 of the software on Monday in...