A security vulnerability has been disclosed in Ruby on Rails, assigned CVE-2013-0333. It affects the 2.3 and 3.0 series of Rails. The vulnerability in the JSON code for Ruby on Rails allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.
If you currently use Puppet's ActiveRecord-based storeconfigs, you will mostly likely want to update your ActiveRecord version or patch your version to address the risk (or even better, use PuppetDB, a drop-in replacement: http://docs.puppetlabs.com/puppetdb/). See the following post for more information on the vulnerability: https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo Regards, Matthaus Owens Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
