Ruby On Rails Receives Its Third Security Patch In Less Than A Month

Developers of the Ruby on Rails Web growth horizon expelled versions 3.0.20 and 2.3.16 of the program on Monday to be able to residence a vicious remote ethics carrying out vulnerability.

This is the third safety refurbish expelled in January for Ruby on Rails, an increasingly renouned horizon for building Web applications using the Ruby programming denunciation that was used to erect websites similar to Hulu, GroupOn, GitHub, Scribd, and others.

[ Find out how to block the viruses, worms, and other malware that bluster your business, with hands-on recommendation from InfoWorld's consultant contributors in InfoWorld's " Malware Deep Dive " PDF guide. Don't look now, but your antivirus might be murdering your virtualization infrastructure . InfoWorld's Matt Prigge shows you how to discover the bell signs. ]

The Rails developers described the updates expelled Monday as “extremely critical” in a blog post and suggested all users of the 3.0.x and 2.3.x Rails program branches to refurbish immediately.

According to a analogous safety instructive , the newly expelled Rails versions residence a disadvantage in the Rails JSON (JavaScript Object Notation) ethics that allows enemy to alternative route authentication systems, speak up capricious SQL (Structured Query Language) in to an application’s database, speak up and govern capricious ethics or perform a denial-of-service assault against an application.

The Rails developers sharp out that notwithstanding reception this update, the Rails 3.0.x bend is no longer strictly supported. “Please note that usually the 2.3.x, 3.1.x and 3.2.x array are upheld at present,” they mentioned in the advisory.

Users of Rails versions that are no longer upheld were suggested to ascent as shortly as probable to a newer, upheld version, since the one after another accessibility of safety fixes for unsupported versions cannot be guaranteed. The newer 3.1.x and 3.2.x Rails branches are not affected by this vulnerability.

This ultimate Rails disadvantage is identified as CVE-2013-0333 and is not similar from CVE-2013-0156, a vicious SQL injection disadvantage patched in the horizon on Jan. 8 . The Rails developers stressed that users of Rails 2.3 or 3.0 who formerly commissioned the put together for CVE-2013-0156 are still compulsory to setup the new put together expelled this week.

Short URL: http://zagrib.com/?p=11411

Posted by pasarloak on Feb 16 2013. Filed under Tips & Tricks. You can follow any responses to this entry through the RSS 2.0. You can skip to the end and leave a response. Pinging is currently not allowed.