Saturday, November 24, 2007

Ruby on Rails 1.2.6: Security and Maintenance Release

Posted by michael

The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077.

You should upgrade to this new release if you do not take specific session-fixation counter measures in your application. 1.2.6 also fixes some regressions when working with has_many associations on unsaved ActiveRecord objects.

As with other 1.2.x releases, this is intended as a drop in upgrade for users of earlier versions in the 1.2 series.

To upgrade, `gem install rails`, set RAILS_GEM_VERSION to ‘1.2.6’ in config/environment.rb, and `rake rails:update:configs`.