[SEC][ANN] Rails 3.0.20, and 2.3.16 have been released!

SSkonishi_takurou_S · January 28, 2013, 10:07pm

Hi everybody.

I’d like to announce that 3.0.20, and 2.3.15 have been released. These
releases contain one extremely critical security fix so please
update IMMEDIATELY.

You can read about the security fix by following this link:

CVE-2013-0333

In order to ease upgrading, the only major changes in each gem is the
security fix. To see the detailed changes for each version, follow the
links below:

Thanks to the people who responsibly reported these security issues.

Please note that per our maintenance
policy
this will be the last release for the 3.0.x series.

Here are the SHA-1 checksums for each gem:

3.0.20

[aaron@higgins dist]$ shasum *3.0.20*
c5b1a446d921dbd512a2d418c50f144b4540a657  actionmailer-3.0.20.gem
79ec243f6ec301b0a73ad45f89d4ea2335f90346  actionpack-3.0.20.gem
80c7d881ed64ed7a66f4d82b12c2b98b43f6fbde  activemodel-3.0.20.gem
d8fc6e02bf46f9b5f86c3a954932d67da211302b  activerecord-3.0.20.gem
e465e7d582c6d72c487d132e5fac3c3af4626353  activeresource-3.0.20.gem
5bc7b2f1ad70a2781c4a41a2f4eaa75b999750e4  activesupport-3.0.20.gem
ba9fb9dba41ce047feef11b4179cd9c3f81b2857  rails-3.0.20.gem
42b0025e4cb483d491a809b9d9deb6fd182c2a57  railties-3.0.20.gem

2.3.16

[aaron@higgins dist]$ shasum *2.3.16*
ab1a47a08d42352d9e8c276d28e6ed6990c23556  actionmailer-2.3.16.gem
f81ac75eb9edbb363a6d7bbe175a208e97ea3d4f  actionpack-2.3.16.gem
4ce36062f1f0b326b16e42b9fde5f1ab0610bffc  activerecord-2.3.16.gem
3698787f9ab8432f0c10268e22fbfcf682fa79cc  activeresource-2.3.16.gem
90490f62db73c4be9ed69d96592afa0b98e79738  activesupport-2.3.16.gem
239253159f9793e2372c83dcf9d0bd7bff343f7d  rails-2.3.16.gem

<3<3<3

aaronpowell · January 28, 2013, 10:31pm

On Mon, Jan 28, 2013 at 3:13 PM, Aaron P.
[email protected]wrote:

)
First, I’d like to thank you Aaron for your hard work in handling
security
in rails.
I can’t help but feel that rails is being smacked by
major vulnerability after vulnerability.
Would it at all be helpful to get a kick starter or some fundraiser
started
to get a formal audit underway (Where’s the NSA when you need them) ?

I wonder how much of these vulnerabilities stem from the fact that we
(in
rails) use turing-complete protocols/languages for everything, thus
exposing weird machines.
The Science of Insecurity (2008 CCC) It’s an hour long, but well worth
it-

While I am glad to see these issues fixed, I can’t help but wonder how
many
more vulnerabilities we still don’t know about.
Again, I really do appreciate the attention to detail that Aaron and the
rest of the rails team give to rails.

Respectfully,
Andrew McElroy

aaronpowell · January 28, 2013, 10:31pm

On Mon, Jan 28, 2013 at 3:30 PM, andrew mcelroy [email protected]
wrote:

On Mon, Jan 28, 2013 at 3:13 PM, Aaron P. [email protected]
wrote:

The Science of Insecurity (2008 CCC) It’s an hour long, but well worth it-
- YouTube

I didn’t mean for that text to be huge… sorry.