Forum: Ruby [SEC][ANN] Rails 3.0.20, and 2.3.16 have been released!

Hi everybody.

I'd like to announce that 3.0.20, and 2.3.15 have been released.  These 
releases contain one **extremely critical security fix** so please 
update **IMMEDIATELY**.

You can read about the security fix by following this link:

* 
[CVE-2013-0333](https://groups.google.com/forum/?fromgroups=#!topi...)

In order to ease upgrading, the only major changes in each gem is the 
security fix.  To see the detailed changes for each version, follow the 
links below:

* [Changes in 
3.0.20](https://github.com/rails/rails/compare/v3.0.19...v3.0.20)
* [Changes in 
2.3.16](https://github.com/rails/rails/compare/v2.3.15...v2.3.16)

Thanks to the people who responsibly reported these security issues.

Please note that per our [maintenance 
policy](https://groups.google.com/forum/?fromgroups=#!topi...) 
this will be the last release for the 3.0.x series.

Here are the SHA-1 checksums for each gem:

### 3.0.20

```
[aaron@higgins dist]$ shasum *3.0.20*
c5b1a446d921dbd512a2d418c50f144b4540a657  actionmailer-3.0.20.gem
79ec243f6ec301b0a73ad45f89d4ea2335f90346  actionpack-3.0.20.gem
80c7d881ed64ed7a66f4d82b12c2b98b43f6fbde  activemodel-3.0.20.gem
d8fc6e02bf46f9b5f86c3a954932d67da211302b  activerecord-3.0.20.gem
e465e7d582c6d72c487d132e5fac3c3af4626353  activeresource-3.0.20.gem
5bc7b2f1ad70a2781c4a41a2f4eaa75b999750e4  activesupport-3.0.20.gem
ba9fb9dba41ce047feef11b4179cd9c3f81b2857  rails-3.0.20.gem
42b0025e4cb483d491a809b9d9deb6fd182c2a57  railties-3.0.20.gem
```

### 2.3.16

```
[aaron@higgins dist]$ shasum *2.3.16*
ab1a47a08d42352d9e8c276d28e6ed6990c23556  actionmailer-2.3.16.gem
f81ac75eb9edbb363a6d7bbe175a208e97ea3d4f  actionpack-2.3.16.gem
4ce36062f1f0b326b16e42b9fde5f1ab0610bffc  activerecord-2.3.16.gem
3698787f9ab8432f0c10268e22fbfcf682fa79cc  activeresource-2.3.16.gem
90490f62db73c4be9ed69d96592afa0b98e79738  activesupport-2.3.16.gem
239253159f9793e2372c83dcf9d0bd7bff343f7d  rails-2.3.16.gem
```

<3<3<3

On Mon, Jan 28, 2013 at 3:13 PM, Aaron Patterson
<tenderlove@ruby-lang.org>wrote:

> )
First, I'd like to thank you Aaron for your hard work in handling 
security
in rails.
I can't help but feel that rails is being smacked by
major vulnerability after vulnerability.
Would it at all be helpful to get a kick starter or some fundraiser 
started
to get a formal audit underway (Where's the NSA when you need them)  ?

I wonder how much of these vulnerabilities stem from the fact that we 
(in
rails) use turing-complete protocols/languages for everything, thus
exposing weird machines.
The Science of Insecurity (2008 CCC) It's an hour long, but well worth 
it-
http://www.youtube.com/watch?v=v8F8BqSa-XY

While I am glad to see these issues fixed, I can't help but wonder how 
many
more vulnerabilities we still don't know about.
Again, I really do appreciate the attention to detail that Aaron and the
rest of the rails team give to rails.

Respectfully,
Andrew McElroy

On Mon, Jan 28, 2013 at 3:30 PM, andrew mcelroy <sophrinix@gmail.com> 
wrote:
>
> On Mon, Jan 28, 2013 at 3:13 PM, Aaron Patterson <tenderlove@ruby-lang.org> 
wrote:
>>
>>
> The Science of Insecurity (2008 CCC) It's an hour long, but well worth it- 
http://www.youtube.com/watch?v=v8F8BqSa-XY

I didn't mean for that text to be huge.. sorry.