Rails gets updates for critical issues in all versions
Three updated versions of Rails with critical security fixes have been released: Rails 2.3.14, 3.0.10 and 3.1.0RC6. According to the Rails developers, the releases were due to be made on 8 August, but were delayed when a request for CVE numbers for the vulnerabilities was apparently unfulfilled. Patches are available for all the issues in the linked advisories, which refer to CVE-XXX-YYY. The associated advisories also refer to fixed versions 2.3.13 and 3.1.0RC5. Version 2.3.13 was, in fact, skipped due to an last minute error while 3.1.0RC5 was released on 26 July.
An SQL Injection vulnerability in quote_table_name affects the 2.3.x, 3.0.x and 3.1 versions of Rails. Rails 3.x was affected by the filter skipping vulnerability that allowed attackers to "render a view they should not have access to". A response splitting issue which allowed attackers to inject HTTP headers into responses, only affected Rails 2.3.x. An XSS vulnerability in the strip_tags helper affected Rails 3.0.x, 2.3.x and 3.1 release candidates. Another XSS vulnerability in the escaping function of Rails affected the same versions but only when running in Ruby 1.8.x. The 3.0.10 update also contains non-security fixes for ActionPack and ActiveRecord. The 2.3.14 release also includes two non-security bug fixes.
According to the 3.1.0RC6 announcement, barring any show stopping issues, the developers now hope to release 3.1 on 30 August, a week later than previously hoped.