DOS, XSS and Data Injection Flaws Fixed in Rails 4.0.3, 3.2.17 and 4.1.0.beta2

You can download the latest versions of Ruby on Rails from Softpedia

Feb 19, 2014 13:55 GMT · By Eduard Kovacs

Vulnerabilities fixed in Ruby on Rails 4.0.3, 3.2.17 and 4.1.0.beta2

14 DAY TRIAL // JUST $1.00 Play Starfield, Forza Motorsport, and hundreds of other PC games for one low monthly price.

Ruby on Rails 4.0.3, 3.2.17 and 4.1.0.beta2 have been released. The latest releases address a total of three vulnerabilities.

According to the developers, the vulnerabilities fixed in 3.2.17 have the following identifiers: CVE-2014-0081 and CVE-2014-0082. In Ruby 4.0.3, the issues with the CVE-2014-0080 and CVE-2014-0081 identifiers have been addressed.

In 4.1.0.beta2, the list of security fixes includes CVE-2014-0080 and CVE-2014-0081.

CVE-2014-0080 is a data injection vulnerability impacting Active Record. The flaw can be exploited to add data to array columns in PostgreSQL databases.

CVE-2014-0081 refers to a cross-site scripting (XSS) vulnerability in the “number_to_currency,” “number_to_percentage” and “number_to_human” helpers.

Finally, CVE-2014-0082 is a denial-of-service (DOS) issue in Action View. More precisely, the bug impacts the text rendering component in Action View.

Users are advised to update their installations as soon as possible. You can download Ruby on Rails, the latest versions, from Softpedia.

#Ruby on Rails#vulnerability#security update