Ruby on Rails updated to fix security flaws
The web application framework Ruby on Rails has been updated to version 3.2.2 to fix two important security issues and several other bugs. Users are advised to upgrade their installations as quickly as possible due to the serious nature of the fixed security flaws – these fixes are unrelated to the recent issues with GitHub and Rails. Users of Rails 3.0 and 3.1 will find new versions, 3.0.12 and 3.1.4, that also address the vulnerabilities.
The two cross-site scripting vulnerabilities that were fixed allow attackers to take advantage of improperly sanitised options tag fields and direct manipulation of a safebuffer to execute arbitrary HTML in the browser of users visiting a Rails site. Further details of the option tag issue and safebuffer issue are available.
The Rails 3.2.2 update also includes fixes which ensure log files are always flushed and that failing tests will exit with non-zero status codes. It also removes calls to some deprecated methods and includes various Ruby 2.0 compatibility fixes. More information on the changes since version 3.2.1 is available on GitHub. Rails 3.2.2 can be downloaded using RubyGems and is released under the MIT Licence.