Ruby on Rails patches more SQL injection holes
Further security problems have been found in the Ruby on Rails web framework following the release of updates that addressed two critical vulnerabilities less than two weeks ago. The new security holes are in the same areas of the framework's database layer Active Record and in its query generation. The vulnerabilities could allow hackers to, for example, access confidential data from the database tables without authorisation.
The developers have again released updated versions of Ruby on Rails – 3.2.6, 3.1.6 and 3.0.14 – and ask all affected users to update their Rails installations as soon as possible. For users who cannot update to the latest supported versions of Rails, the developers have issued patches for both security vulnerabilities. In the case of the Active Record vulnerability, fixes have been issued for versions 2.3.x and 3.x of Ruby on Rails. The unsafe query generation problem was fixed in the 3.x series of Rails.
Version 2.3.x and 3.0.x of Rails are now unsupported and it is recommended that users who are running these older, unsupported versions of Ruby on Rails should update to supported versions because the availability of patches for future security issues is not guaranteed.