Multiple vulnerabilities have been discovered in Rails, the worst of which leading to the execution of arbitrary SQL statements.
|Package||dev-ruby/rails on all architectures|
|Affected versions||< 2.2.2|
|Unaffected versions||>= 2.3.5
revision >= 2.2.3-r1
Ruby on Rails is a web-application and persistence framework.
The following vulnerabilities were discovered:
A remote attacker could send specially crafted requests to a vulnerable application, possibly leading to the execution of arbitrary SQL statements or a circumvention of access control. A remote attacker could also conduct session fixation attacks to hijack a user's session or bypass the CSRF protection mechanism, or furthermore conduct Cross-Site Scripting attacks or forge a digest via multiple attempts.
There is no known workaround at this time.
All Ruby on Rails 2.3.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.5"
All Ruby on Rails 2.2.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose "=dev-ruby/rails-2.2.3-r1"
NOTE: All applications using Ruby on Rails should also be configured to use the latest version available by running "rake rails:update" inside the application directory.