1. Watch out for the latest Security Patch to deal authentication bypass for RoR
Ruby on Rails framework developers have been continuously releasing security updates since
the last two weeks. Its recent updates like 3.0.20 and 2.3.16 versions were to address the
remote code execution vulnerability. This was the third security patch released this month. The
developers have mentioned that the updates released are extremely important, and have
advised the users of 3.0.x and 2.3.x rails framework to update as soon as possible.
The security update will fix the vulnerability in the Rails JSON code. That allowed the hackers to
bypass authentication system and inject random SQL into the application database. It
occasionally performed denial-of-service attack too. The rails developers have also pointed out
that currently it supports only the 2.3.x, 3.1.x, and 3.2.x versions and might release an update
for 3.0.x version.
Most recent vulnerability was identified as CVE-2013-0333, which was patched in the
framework on 8th of Jan. The Ruby on Rails developers using Rails 2.3 and 3.0 are also advisable
to install the new fixes even if they have installed the fix for CVE-2013-0156 earlier.
Brief Summery
Affected Versions are: 2.3.x, 3.0.x
Unaffected Versions are: 3.1.x, 3.2.x, and applications using yajl gem
Fixed Versions are: 3.0.20, 2.3.16