---------- Forwarded message ---------- From: Samuel Richardson <[email protected]> Date: Tue, Jan 29, 2013 at 11:28 AM Subject: Re: [rails-oceania] Fw: [LRUG] More Rails Security Fun! To: "[email protected]" <[email protected]>
And a "drop everything" upgrade needed for Devise (if you're not on SQLite3 or Postgres) as well: http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/ [sigh] Samuel Richardson www.richardson.co.nz | 0405 472 748 On Tue, Jan 29, 2013 at 9:04 AM, Jon Rowe <[email protected]> wrote: > Moar security vulnerabilities... (Forwarded from the LRUG list)… > > Forwarded message: > > *From:* Najaf Ali <[email protected]> > *To:* London Ruby Users Group <[email protected]> > *Date:* Tuesday, 29 January 2013 08:55:29 > *Subject:* [LRUG] More Rails Security Fun! > > Some brand spankin' new, freshly squeezed vulnerabilities for you: > > 1. Do you use devise with anything BUT Postgres or SQLite? > > If yes you need to upgrade (most likely this is some combination of > password reset and some weird type inference behaviour, but still > looking for a working POC). This includes MySQL and any NoSQL dbs you > happen to use with devise. Details here: > > > http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/ > > 2. Are you on rails 2.3 or 3.0? > > If yes you're still open to the remote code injection vulnerability > you thought you had patched up last time (short version: it turns out > you can convince the JSON parser to convert JSON into YAML and then > parse it with the YAML parser). Details here: > > > https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo > > Patch now, yadda yadda. > > -Ali > > P.S. Use Postgres > _______________________________________________ > Chat mailing list > [email protected] > http://lists.lrug.org/listinfo.cgi/chat-lrug.org > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby or Rails Oceania" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > Visit this group at http://groups.google.com/group/rails-oceania?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rails-oceania?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- Best regards, Y. Thong Kuah http://kuahyeow.com -- You received this message because you are subscribed to the Google Groups "WellRailed" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/wellrailed?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
