Developers of the Ruby on Rails Web development framework released versions 3.0.20 and 2.3.16 of the software on Monday in order to address a critical remote code execution vulnerability.
This is the third security update released in January for Ruby on Rails, an increasingly popular framework for developing Web applications using the Ruby programming language that was used to build websites like Hulu, GroupOn, GitHub, Scribd, and others.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Don't look now, but your antivirus may be killing your virtualization infrastructure. InfoWorld's Matt Prigge shows you how to detect the warning signs. ]
The Rails developers described the updates released Monday as "extremely critical" in a blog post and advised all users of the 3.0.x and 2.3.x Rails software branches to update immediately.
The Rails developers pointed out that despite receiving this update, the Rails 3.0.x branch is no longer officially supported. "Please note that only the 2.3.x, 3.1.x and 3.2.x series are supported at present," they said in the advisory.
Users of Rails versions that are no longer supported were advised to upgrade as soon as possible to a newer, supported version, because the continued availability of security fixes for unsupported versions cannot be guaranteed. The newer 3.1.x and 3.2.x Rails branches are not affected by this vulnerability.
This latest Rails vulnerability is identified as CVE-2013-0333 and is different from CVE-2013-0156, a critical SQL injection vulnerability patched in the framework on Jan. 8. The Rails developers stressed that users of Rails 2.3 or 3.0 who previously installed the fix for CVE-2013-0156 are still required to install the new fix released this week.