Ruby on Rails security updates address SQL injection flaw

The Ruby on Rails developers rushed to fix a publicly disclosed SQL injection vulnerability

The developers of Ruby on Rails, a popular Web application development framework for the Ruby programming language, released versions 3.2.10, 3.1.9, and 3.0.18 of the software on Wednesday in order to patch a serious SQL injection vulnerability.

"These releases contain an important security fix," the Rails development team said in a blog post. "It is recommended that all users upgrade immediately."

The vulnerability is located in the framework's Active Record database query interface and allows potential attackers to inject arbitrary SQL (Structured Query Language) statements.

SQL injection vulnerabilities are commonly exploited by attackers to extract information from databases.

The Rails developers apologized for releasing a security update so close to the holidays, but said that they were forced to rush out a patch because the vulnerability had been publicly disclosed.

In order to help users who can't immediately upgrade to the latest versions of the framework, the Rails development team published a workaround and released manual patches that can be easily applied to older versions, including two that are no longer supported.

That said, users of unsupported versions were urged to upgrade as soon as possible because the future availability of security fixes for those versions is not guaranteed. Only Rails 3.1.x and 3.2.x series are supported at the moment, the developers said.

Tags: patches, ruby on rails, online safety, security, Exploits / vulnerabilities

BlackBerry Hints at Complete End Point Security

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Email Security and Data Protection

Encrypt your sensitive email

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.