Ruby on Rails security updates address SQL injection flaw

The Ruby on Rails developers rushed to fix a publicly disclosed SQL injection vulnerability

The developers of Ruby on Rails, a popular Web application development framework for the Ruby programming language, released versions 3.2.10, 3.1.9, and 3.0.18 of the software on Wednesday in order to patch a serious SQL injection vulnerability.

"These releases contain an important security fix," the Rails development team said in a blog post. "It is recommended that all users upgrade immediately."

The vulnerability is located in the framework's Active Record database query interface and allows potential attackers to inject arbitrary SQL (Structured Query Language) statements.

SQL injection vulnerabilities are commonly exploited by attackers to extract information from databases.

The Rails developers apologized for releasing a security update so close to the holidays, but said that they were forced to rush out a patch because the vulnerability had been publicly disclosed.

In order to help users who can't immediately upgrade to the latest versions of the framework, the Rails development team published a workaround and released manual patches that can be easily applied to older versions, including two that are no longer supported.

That said, users of unsupported versions were urged to upgrade as soon as possible because the future availability of security fixes for those versions is not guaranteed. Only Rails 3.1.x and 3.2.x series are supported at the moment, the developers said.

Tags patchesruby on railsonline safetysecurityExploits / vulnerabilities

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Business Continuity Management Solutions

Automate business-continuity and disaster-recovery planning and enable crisis management in one solution.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.