Monday, January 7, 2013

SQL injection flaw fixed in Ruby on Rails

Ruby on Rails versions 3.2.10, 3.1.9, and 3.0.18 has been released in order to patch a serious SQL injection vulnerability. The vulnerability is located in the framework's Active Record database query interface and allows potential attackers to inject arbitrary SQL statements. The Rails developers apologized for releasing a security update so close to the holidays, but said that they were forced to rush out a patch because the vulnerability had been publicly disclosed. So it is recommended that all users apply the upgrade on earliest basis.

No comments: