The Rails developers have released Rails version 3.2.13, 3.1.12 and 2.3.18 to close four security holes in the web application framework. The developers recommend that users upgrade as soon as possible with the latest Rails gems. For those unable to update, patches are available with the various bug notifications. The flaws affect all versions of Rails, but in line with the Rails maintenance policy, only the three branches, 3.2, 3.1 and 2.3 are being updated. Note that Rails 3.2.13 also contains many other non-security changes as part of a general bug fix release; the RC1 release has details of many of those changes.

One flaw, CVE-2013-1854, allowed Ruby symbols to be passed to ActiveRecord queries, causing a denial of service. CSS sanitization could be bypassed with CVE-2013-1855 exposing an XSS vulnerability. Another sanitization problem, CVE-2013-1857, meant that the sanitize helper allowed executable JavaScript to be embedded in URLs, opening the way for another XSS attack vector.

Finally, when running Rails on JRuby, it was found that one of the backends for XML parsing, ActiveSupport::XmlMini_JDOM , used javax.xml.parsers.DocumentBuilder , which by default on some JVMs let attackers construct XML with arbitrary URLs, and when parsed, the system would include the content of those URLs. The flaw, identified as CVE-2013-1856, meant that application server files could be extracted or that denial of service attacks could be staged.

(djwm)