Ruby on Rails 3.2.10, 3.1.9, and 3.0.18 have been released to address an SQL Injection vulnerability in Active Record that affects all versions.
According to the developers, the release comes so close to the holidays because the details of the exploit have already been publicly disclosed.
“Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL,” the developers explained.
Considering the risks posed by this serious vulnerability, users are advised to update as soon as possible. In order to make the upgrading process as easy as possible, the number of changes in each of the releases has been kept at a minimum.
Ruby on Rails is available for download here