I was initially under the impression that they weren't going to release a fix for 3.0, but 3.0.18 has also been released. If you upgrade to Rails 3.0.18, there is no need to upgrade to Hobo 1.3.3; it is otherwise identical to Hobo 1.3.2.
Bryan On Wed, Jan 2, 2013 at 6:54 PM, Bryan Larsen <[email protected]> wrote: > A SQL injection vulnerability has been found in ActiveRecord that > impacts all versions of Rails: > > https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM > > I have released Hobo 1.3.3 that patches Hobo's vulnerability to this issue. > > if you are using Hobo 2.0 it is recommended that you upgrade to Rails > 3.2.10, although I have also pushed the security patch to github > master. > > The Hobo fix only impacts Hobo's usage. If you use find_by_ in your > own code, you must fix those up yourself by coercing the input > (find_by_foo(params[:foo].to_s) for example) or by upgrading to a > version of Rails without the vulnerability. > > Bryan -- You received this message because you are subscribed to the Google Groups "Hobo Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/hobousers?hl=en.
