Urgently updated to Ruby on Rails 3.2.12, 3.1.11 and 2.3.17 for the benefit of their own nerves
Good day, dear reader. I hope that you read this short post for your morning coffee, and you did not have to make an emergency deploy in the middle of the night. Otherwise, I’m sorry, and I suggest you update your Ruby on Rails applications right now.
You can see what has changed on github:
- 3.2.x -> 3.2.12 ( vulnerability in attr_protected )
- 3.1.x -> 3.1.11 (same vulnerability in attr_protected and another vulnerability in YAML )
- 2.3.x -> 2.3.17 (YAML, attr_protected)
In addition to the patches of the framework itself, the team recommends updating the JSON gem, today's release of which contains no less important fixes . The situation was described in detail by chikey .
Since the beginning of this year, only the lazy did not manage to find vulnerability in the rail . But this activity is not so much upsetting as it is pleasing - as it indicates the growing up of the framework. Do not forget to follow the Googlegroup , as well as say thanks to people who find vulnerabilities and repair them.
Subjectively useful reading recommended by me: