We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Ruby on Rails receives the third security patch in less than a month

Ruby on Rails versions 3.0.20 and 2.3.16 fix an extremely critical remote code execution vulnerability

Developers of the Ruby on Rails Web development framework released versions 3.0.20 and 2.3.16 of the software on Monday in order to address a critical remote code execution vulnerability.

This is the third security update released in January for Ruby on Rails, an increasingly popular framework for developing Web applications using the Ruby programming language that was used to build websites like Hulu, GroupOn, GitHub, Scribd and others.

The Rails developers described the updates released Monday as "extremely critical" in a blog post and advised all users of the 3.0.x and 2.3.x Rails software branches to update immediately.

According to a corresponding security advisory, the newly released Rails versions address a vulnerability in the Rails JSON (JavaScript Object Notation) code that allows attackers to bypass authentication systems, inject arbitrary SQL (Structured Query Language) into an application's database, inject and execute arbitrary code or perform a denial-of-service (DoS) attack against an application.

The Rails developers pointed out that despite receiving this update, the Rails 3.0.x branch is no longer officially supported. "Please note that only the 2.3.x, 3.1.x and 3.2.x series are supported at present," they said in the advisory.

Users of Rails versions that are no longer supported were advised to upgrade as soon as possible to a newer, supported version, because the continued availability of security fixes for unsupported versions cannot be guaranteed. The newer 3.1.x and 3.2.x Rails branches are not affected by this vulnerability.

This latest Rails vulnerability is identified as CVE-2013-0333 and is different from CVE-2013-0156, a critical SQL injection vulnerability patched in the framework on Jan. 8. The Rails developers stressed that users of Rails 2.3 or 3.0 who previously installed the fix for CVE-2013-0156 are still required to install the new fix released this week.


IDG UK Sites

Very best Black Friday 2014 tech deals UK: Latest bargains on phones, tablets, laptops and more...

IDG UK Sites

Tech trends 2015: 3D printing grows up

IDG UK Sites

Will I be affected by VAT MOSS? Here are the facts for designers and artists

IDG UK Sites

Black Friday 2014 UK: Apple deals, Amazon deals & Black Friday tech offers