Fix your Rails 2.3/3.0 and Devise apps!

28 Jan 2013

Hot on the heels of the recent security problem with YAML, obviously some people figured out how to inject YAML into your JSON when using Rails 2.3 or 3.0 (3.1+ do not seem to be affected). Check out the officai announcement on the rails-security list. Though the announcement is not very specific since it explicitly mentions the injection of a YAML payload into your JSON it is very likely this is just as severe as the recent one. If you're on any of these versions, please upgrade or patch as soon as possible.

While you're at it you probably should also upgrade Devise if you're using it (and do not use postgresql or sqlite as your db) since there's a security hole there as well.

Happy Patching!


ikrogers wrote 2014-06-24 12:09:12 UTC:

Great, only 2 databases I know to to code for so far. Anyone has any alternate options?

Bryan Hanks, PMP wrote 2014-09-18 16:48:27 UTC:

@ikrogers - you don't need to abandon Postgres or SQLite. There's a workaround if you don't want to update Devise at the security hole announcement page.

The easiest answer is to simply upgrade.

Post a comment

Markdown supported

In order to continue, you must be signed in using your Github account.

If you're signing in using this account for the first time Github will ask for your permission to give access to your public user data to the Ruby Toolbox.

Although the Github Authorization page does not mention it, the request includes read-only access to your verified email address (user:email OAuth scope). This is neccessary so there's a way to notify you about comments, information about your accepted project edits and the like. You can review your notification settings on your account page once you're signed in.