In association with heise online

27 July 2012, 10:36

Rails 3.2.7 released with denial of service fix

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Ruby on Rails logo The Ruby on Rails developers have released version 3.2.7 of the web application framework; this includes an "important security fix" for a denial-of-service issue. The issue (CVE-2012-3424) allows an attacker to trigger a crash of a Rails system by using specially crafted authentication data.

The issue affects systems using the Action Pack digest authentication, typified by the use of the "with_http_digest" controller helper methods such as authenticate_or_request_with_http_digest. There are, according to the advisory, no workarounds for the issue which also affects Rails 3.0 and 3.1. The developers recommend that users upgrade immediately.

As well as the 3.2.7 release, there are releases of Rails 3.0.16 and 3.1.7 available which also have fixes for the issue. Other changes made in 3.2.7 are documented in the github change log and include a number of fixes for Action Support, Active Model and Action Pack.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit