

Rails 3.2.18, 4.0.5 and 4.1.1 have been released - tweakz
http://weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/

======
eonwe
I feel the title should tell that the releases are because of a directory
traversal vulnerability: [https://groups.google.com/forum/#!msg/rubyonrails-
security/N...](https://groups.google.com/forum/#!msg/rubyonrails-
security/NkKc7vTW70o/NxW_PDBSG3AJ)

~~~
bdcravens
This release only has one fix, but it's common to have multiple fixes. It
would impractical to identify all fixes in a release title, and HN guidelines
on titles are to "use the original title, unless it is misleading or linkbait"

------
atonse
Tangential security nitpick - doesn't it defeat the purpose to display SHA or
MD5 sums for downloads over a non-ssl page?

A bad actor could easily modify these in a proxy etc when serving the page.

Edit: Unless the purpose isn't to prevent tampering, but for error-correction.

~~~
stronglikedan
An attacker would have to modify the actual gem files in a way that would
yield the same checksums, since the hashing is one way only.

~~~
rst
The attack scenario is that the man-in-the-middle alters the checksums in the
page to match the checksums of his backdoored version.

------
kevinmchugh
There's also an 'Unsafe Query Risk', which is not a CVE and does not have a
patch.[0]

I believe this script[1] should expose some of those dangerous columns.
There's still the join alias risk, but I'm not sure, other than parsing a
schema.rb, how to get at those effectively.

[0] [https://groups.google.com/forum/#!topic/rubyonrails-
security...](https://groups.google.com/forum/#!topic/rubyonrails-
security/8CVoclw-Xkk)

[1]
[https://gist.github.com/KevinMcHugh/fab941ec3677f9a19ee0](https://gist.github.com/KevinMcHugh/fab941ec3677f9a19ee0)

~~~
jenseng
something like this will find any associations that share a name with a column
in each model:
[https://gist.github.com/jenseng/2039fd57f5db40779871](https://gist.github.com/jenseng/2039fd57f5db40779871)

------
Tho85
For all those who can't upgrade to the latest versions of Rails: Zweitag (my
employer) maintains a Rails fork with security fixes applied to all Rails
releases since 3.1.0.

[https://github.com/zweitag/rails/branches](https://github.com/zweitag/rails/branches)

~~~
yuhong
And for 3.0 and older: [https://railslts.com/](https://railslts.com/)

------
pmh
The original CVE has been amended[1] since having *action in the route is not
the only attack vector.

[1][https://groups.google.com/forum/#!topic/rubyonrails-
security...](https://groups.google.com/forum/#!topic/rubyonrails-
security/PyJo7_m-Ehk)

