Tuesday, February 8, 2011

New Releases: 2.3.11 and 3.0.4

Posted by michael

Two new versions of Ruby On Rails have been released today. As well as including a number of bugfixes they contain fixes for some security issues. The full details of each of the vulnerabilities are available on the rubyonrails-security mailing list. We strongly urge you to update production Rails applications as soon as possible. Rather than post the advisories individually to this blog, I’ll just link to the google talk archives.

Install the latest version using gem install rails. Or if you’re using bundler, edit your gemfile and run bundle update rails.

Summaries

Affecting 2.×.x and 3.0.x

  • XSS Risk in mail_to :encode=>:javascript”:http://groups.google.com/group/rubyonrails-security/t/f02a48ede8315f81 CVE-2011-0446
  • CSRF Bypass Risk CVE-2011-0447

Affecting 3.0.x only