Ruby on Rails security updates address SQL injection flaw
The Ruby on Rails developers rushed to fix a publicly disclosed SQL injection vulnerability
By Lucian Constantin | Published: 14:33, 03 January 2013
Ruby on Rails developers have released versions 3.2.10, 3.1.9, and 3.0.18 of the popular web application development framework for the Ruby programming language in order to patch a serious SQL injection vulnerability.
"These releases contain an important security fix," the Rails development team said yesterday. "It is recommended that all users upgrade immediately."
The vulnerability is located in the framework's Active Record database query interface and allows potential attackers to inject arbitrary SQL (Structured Query Language) statements.
Related Articles on Techworld
SQL injection vulnerabilities are commonly exploited by attackers to extract information from databases.
The Rails developers apologised for releasing a security update so close to the holidays, but said that they were forced to rush out a patch because the vulnerability had been publicly disclosed.
In order to help users who can't immediately upgrade to the latest versions of the framework, the Rails development team published a workaround and released manual patches that can be easily applied to older versions, including two that are no longer supported.
That said, users of unsupported versions were urged to upgrade as soon as possible because the future availability of security fixes for those versions is not guaranteed. Only Rails 3.1.x and 3.2.x series are supported at the moment, the developers said.