Rails 3.2.7 released with denial of service fix
The Ruby on Rails developers have released version 3.2.7 of the web application framework; this includes an "important security fix" for a denial-of-service issue. The issue (CVE-2012-3424) allows an attacker to trigger a crash of a Rails system by using specially crafted authentication data.
The issue affects systems using the Action Pack digest authentication, typified by the use of the "with_http_digest" controller helper methods such as
authenticate_or_request_with_http_digest. There are, according to the advisory, no workarounds for the issue which also affects Rails 3.0 and 3.1. The developers recommend that users upgrade immediately.
As well as the 3.2.7 release, there are releases of Rails 3.0.16 and 3.1.7 available which also have fixes for the issue. Other changes made in 3.2.7 are documented in the github change log and include a number of fixes for Action Support, Active Model and Action Pack.