Update for Ruby on Rails remedies security problems
Version 2.1.1 of the Ruby on Rails web framework has been released, which fixes a number of minor problems and instabilities, and also remedies two vulnerabilities. A flaw in Ruby's REXML library allows an attacker to crash almost any Ruby application that analyses XML user input with REXML – which happens by default – remotely. Ruby developers call this kind of DoS attack "XML entity explosion".
The flaw is found in all Ruby applications based on 1.8.6-p287 and previous versions as well as 1.8.7-p72 and previous versions. At the moment, there is only a source code patch and instructions for a workaround for Ruby itself.
The new version of Ruby on Rails also remedies a SQL injection hole that was already fixed in version 2.1 but was still found in the MySQL adapter. Now, the developers say that this problem has been remedied. Specially crafted :limit and :offset parameters allowed arbitrary commands to be sent to the database.
In addition to version 2.1.1 of Ruby on rails, version 2.0.4 has been released, though it only remedies the REXML problem.
- DoS vulnerability in REXML, Ruby bug report.
- Rails 2.1.1: Lots of bug fixes, Ruby on Rails bug report.