Ruby on Rails: Security Google Group

Ruby on Rails 1.2.6

mich...@koziarski.com (Michael Koziarski) — Sat, 24 Nov 2007 22:16:29 UT

The rails core team has released ruby on rails 1.2.6 to address a bug
in the fix for session fixation attacks(CVE-2007-5380). The CVE
Identifier for this new issue is CVE-2007-6077.
You should upgrade to this new release if you do not take specific
session-fixation counter measures in your application. 1.2.6 also

Ruby on Rails 1.2.5

mich...@koziarski.com (Michael Koziarski) — Fri, 12 Oct 2007 22:30:23 UT

The rails core team has released ruby on rails 1.2.5 to address a
potential XSS exploit with our json serialization. The CVE Identifier
for this problem is CVE-2007-3227.
You are only at risk if you embed the result of a .to_json call in a
page you generate. For example:
<script type="text/javascript">

Re: Ruby on Rails 1.2.4

mich...@koziarski.com (Michael Koziarski) — Fri, 12 Oct 2007 22:25:00 UT

The issues mentioned in this advisory now have CVE numbers.
CVE-2007-5379
CVE-2007-5380
This was a typo, to re-enable URL based sessions you need the
following line in your environment.rb file.
config.action_controller.sessi on_options[:cookie_only] = false

Rails 1.2.5: Closes JSON XSS vulnerability

david.heineme...@gmail.com (DHH) — Fri, 12 Oct 2007 16:50:53 UT

This release closes a JSON XSS vulnerability, fixes a couple of minor
regressions introduced in 1.2.4, and backports a handful of features
and fixes from the 2.0 preview release.
All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5,
though it isn't strictly necessary if you aren't working with JSON.

Ruby on Rails 1.2.4

mich...@koziarski.com (Michael Koziarski) — Wed, 10 Oct 2007 01:33:45 UT

The release of Ruby on Rails 1.2.4 addresses some potential security
issues, all users of earlier versions are advised to upgrade to 1.2.4:
The particular issues are:
Maliciously crafted requests to a rails application could cause the
XML parser to read files from the server's disk or the network. 1.2.4