Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Critical Ruby on Rails security vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical Ruby on Rails security vulnerability
A new version of Ruby on Rails (a very popular framework for developing database-backed web applications) has been released which patches a critical security vulnerability.

The details about the vulnerability have not been disclosed yet, but the authors urge everyone to patch as soon as possible: "This is a MANDATORY upgrade for anyone not running on a very recent edge".

Unfortunately, they didn't specify what this "very recent edge" exactly is, so you can't say if you are vulnerable or not. We can confirm, though, that all older versions (0.13, 0.14, 1.0 and 1.1.x) are vulnerable.

The new version (1.1.5) is supposed to be completely compatible with 1.1.4, however we would recommend that you check the original post about this available at http://weblog.rubyonrails.com/.

The new version can be downloaded from http://rubyforge.org/frs/?group_id=307.

Thanks to Christian for sending us a note about this.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!