Security Fixes for Ruby on Rails

Tuesday, December 10, 2013 @ 06:12 PM gHale

Versions 3.2.16 and 4.0.2 of Ruby on Rails released last week to address important security issues and users should update their installations as soon as possible.

There are four vulnerability fixes in both variants.

Botnet Builds off Ruby on Rails Bug
VMware Patches Privilege Bug
VMware Patches Workstation Bug
VMware Patches Security Holes

The list includes an unsafe query generation risk caused by an incomplete fix to an older bug, reflected cross-site scripting (XSS) in the internationalization component of Ruby on Rails, XSS in the number_to_currency helper, and a denial-of-service (DOS) issue in Action View.

In addition to these problems, an XSS vulnerability in the simple_format helper has been addressed in Rails 4.0.2.

Kevin Reintjes, Toby Hsieh of SlideShare, Ankit Gupta, Peter McLarnan of Matasano Security , and Sudhir Rao have reported the security holes.

Click here for additional technical details and workarounds for each of the flaws.

Leave a Reply

You must be logged in to post a comment.