Ruby on Rails continues with its security woes as there are more issues in the web framework following the release of updates that addressed two critical vulnerabilities less than two weeks ago.
The new security holes are in the same areas of the framework’s database layer Active Record and in its query generation. The vulnerabilities could allow hackers to, for example, access confidential data from the database tables without authorization.
The developers have again released updated versions of Ruby on Rails – 3.2.6, 3.1.6 and 3.0.14 – and ask all affected users to update their Rails installations as soon as possible.
For users who cannot update to the latest supported versions of Rails, the developers issued patches for both security vulnerabilities. In the case of the Active Record vulnerability, fixes are out for versions 2.3.x and 3.x of Ruby on Rails. They fixed the unsafe query generation problem in the 3.x series of Rails.
Version 2.3.x and 3.0.x of Rails now have no support and developers recommend users who are running these older, unsupported versions of Ruby on Rails should update to supported versions because there is no guarantee for the availability of patches for future security issues.