We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Ruby on Rails receives the third security patch in less than a month

Ruby on Rails versions 3.0.20 and 2.3.16 fix an extremely critical remote code execution vulnerability

Developers of the Ruby on Rails Web development framework released versions 3.0.20 and 2.3.16 of the software on Monday in order to address a critical remote code execution vulnerability.

This is the third security update released in January for Ruby on Rails, an increasingly popular framework for developing Web applications using the Ruby programming language that was used to build websites like Hulu, GroupOn, GitHub, Scribd and others.

The Rails developers described the updates released Monday as "extremely critical" in a blog post and advised all users of the 3.0.x and 2.3.x Rails software branches to update immediately.

According to a corresponding security advisory, the newly released Rails versions address a vulnerability in the Rails JSON (JavaScript Object Notation) code that allows attackers to bypass authentication systems, inject arbitrary SQL (Structured Query Language) into an application's database, inject and execute arbitrary code or perform a denial-of-service (DoS) attack against an application.

The Rails developers pointed out that despite receiving this update, the Rails 3.0.x branch is no longer officially supported. "Please note that only the 2.3.x, 3.1.x and 3.2.x series are supported at present," they said in the advisory.

Users of Rails versions that are no longer supported were advised to upgrade as soon as possible to a newer, supported version, because the continued availability of security fixes for unsupported versions cannot be guaranteed. The newer 3.1.x and 3.2.x Rails branches are not affected by this vulnerability.

This latest Rails vulnerability is identified as CVE-2013-0333 and is different from CVE-2013-0156, a critical SQL injection vulnerability patched in the framework on Jan. 8. The Rails developers stressed that users of Rails 2.3 or 3.0 who previously installed the fix for CVE-2013-0156 are still required to install the new fix released this week.


IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model