Rails 3.2.10, 3.1.9, and 3.0.18 have been released!

rubyonrails-talk
1

Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that **all users upgrade immediately**.

The security identifier is CVE-2012-5664, and you can read about the issue [here](add link).

For other change in each particular release, please see the CHANGELOG corresponding to that version. For all commits in each release, please follow the links below:

* [Changes in 3.2.10](Comparing v3.2.9...v3.2.10 · rails/rails · GitHub) * [Changes in 3.1.9](Comparing v3.1.8...v3.1.9 · rails/rails · GitHub) * [Changes in 3.0.18](Comparing v3.0.17...v3.0.18 · rails/rails · GitHub)

We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release.

To that end, we've minimized the number of changes in each release so that upgrading should be as smooth as possible.

Happy Holidays!

<3<3<3

2

Oops! Forgot the CVE link:

  https://groups.google.com/group/rubyonrails-security/browse_thread/thread/c2353369fea8c53

Thanks for your patience!

3

Thank you, Aaron, for your work on Rails!

<3 <3 <3

4

... unless you're using Sequel instead of AR like me :wink:

5

This article explains how the vulnerability works, how it is triggered and what the facts are: Rails SQL injection vulnerability: hold your horses, here are the facts - Phusion Blog

6

Please don’t give people misleading advice Hongli, when we told people they should upgrade immediately we meant it. It is exploitable under some circumstances, so people should be upgrading immediately to avoid the risk.

7

There’s a really big difference between these two potential scenarios:

(a) every single rails app I've ever written that uses find_by_*(params[*]) is immediately and completely compromised by anyone in the world with a simple well crafted url

-and-

(b) every single rails app I've ever written might be completely compromised if I've done my code in certain ways that are not common, like somehow converting user supplied string keys to symbols (authlogic being only an example).

In either case, yes, I should “immediately” upgrade my rails to avoid the risk, since “complete compromise” is a pretty severe thing to risk (no matter how remote the chance). Let no man mistake that, or dull that message… Let’s upgrade! Don’t put it off.

But the difference between (a) and (b) is in how much ridiculous sums of money should be spent on how many sleepless man-nights. The difference also can be in some manager deciding to ban rails from his company (or not), or some large customer of some rails-centric company deciding to not hire that company any longer (or keep hiring them).

I can understand pushing for upgrades, reducing liability, being on the safe side, etc, but please don’t overstate the issue. If it’s (a), please don’t be nebulous about it, just plainly state that it’s (a) and provide proof if people disagree. But if it’s (b), please don’t imply that it’s (a).

Dave

8

I will update the article with what you said here.