Thursday, February 20, 2014

Security fix for Rails: 3.2.17 and 4.0.3 released
New versions of Rails has been released recently that address several security issues:

- CVE-2014-0081 XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human.
- CVE-2014-0080 Data Injection Vulnerability in Active Record.
- CVE-2014-0082 Denial of Service Vulnerability in Action View when using render text.

If you are using Ruby stack for deploying your application, we strongly suggest to upgrade Rails to the latest version. We have released new versions of Ruby Stack native installers (all platforms), virtual machines and Amazon EC2 and Azure cloud images for the following platforms:
  • Ruby Stack 1.9.3, with Ruby 1.9.3-p484 and Rails 3.2.17
  • Ruby Stack 2.0.0, with Ruby 2.0.0-p353 and Rails 4.0.3
  • Ruby Stack 2.1.0, with Ruby 2.1.0 and Rails 4.0.3
Because one of the security issues affects PostgreSQL databases, we also released a new version of the Bitnami Discourse application which includes a fixed version or Rails.