This article explains how the vulnerability works, how it is triggered and what the facts are: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
On Wednesday, January 2, 2013 10:28:36 PM UTC+1, Aaron Patterson wrote: > > Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These > releases contain an important security fix. It is recommended that **all > users upgrade immediately**. > > The security identifier is CVE-2012-5664, and you can read about the issue > [here](add link). > > For other change in each particular release, please see the CHANGELOG > corresponding to that version. For all commits in each release, please > follow the links below: > > * [Changes in 3.2.10]( > https://github.com/rails/rails/compare/v3.2.9...v3.2.10) > * [Changes in 3.1.9]( > https://github.com/rails/rails/compare/v3.1.8...v3.1.9) > * [Changes in 3.0.18]( > https://github.com/rails/rails/compare/v3.0.17...v3.0.18) > > We're sorry to drop a release like this so close to the holidays but > regrettably the exploit has already been publicly disclosed and we don't > feel we can delay the release. > > To that end, we've minimized the number of changes in each release so that > upgrading should be as smooth as possible. > > Happy Holidays! > > <3<3<3 > > -- > Aaron Patterson > http://tenderlovemaking.com/ > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/y4QH7gOKNnoJ. For more options, visit https://groups.google.com/groups/opt_out.
