Multiple vulnerabilities have been discovered in Rails, the worst of which leading to the execution of arbitrary SQL statements.
Package | dev-ruby/rails on all architectures |
---|---|
Affected versions | < 2.2.2 |
Unaffected versions | >= 2.3.5 revision >= 2.2.3-r1 |
Ruby on Rails is a web-application and persistence framework.
The following vulnerabilities were discovered:
A remote attacker could send specially crafted requests to a vulnerable application, possibly leading to the execution of arbitrary SQL statements or a circumvention of access control. A remote attacker could also conduct session fixation attacks to hijack a user's session or bypass the CSRF protection mechanism, or furthermore conduct Cross-Site Scripting attacks or forge a digest via multiple attempts.
There is no known workaround at this time.
All Ruby on Rails 2.3.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.5"
All Ruby on Rails 2.2.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose "=dev-ruby/rails-2.2.3-r1"
NOTE: All applications using Ruby on Rails should also be configured to use the latest version available by running "rake rails:update" inside the application directory.