New Releases: 2.3.11 and 3.0.4
Posted by michael February 08, 2011 @ 10:39 PM
Two new versions of Ruby On Rails have been released today. As well as including a number of bugfixes they contain fixes for some security issues. The full details of each of the vulnerabilities are available on the rubyonrails-security mailing list. We strongly urge you to update production Rails applications as soon as possible. Rather than post the advisories individually to this blog, I’ll just link to the google talk archives.
Install the latest version using gem install rails. Or if you’re using bundler, edit your gemfile and run bundle update rails.
Summaries
Affecting 2.x.x and 3.0.x
- XSS Risk in mail_to :encode=>:javascript CVE-2011-0446
- CSRF Bypass Risk CVE-2011-0447
Affecting 3.0.x only
- Filter Problems on Case Insensitive Filesystems CVE-2011-0449
- Potential SQL Injection with limit() CVE-2011-0448
‘bundle update rails’ is a better way to update it. That way it doesn’t affect all your other gems
My i18n completely breaks with rails 3.0.4, I’m getting exceptions of the type: undefined method `locale=’ for nil:NilClass in my before_filters that have to set the locale.. Is anybody else having this issue?
cảm ơn Rails team rất nhiều, RoR là sản phẩm tuyệt vời nhất.
คุณขอบคุณ
Is something fucked up with sessions in v3.0.4? My AJAX requests have empty session object. I had to revert to 3.0.3. Fail!
Did something changes on the accepts_nested_attributes_for ?
My specs are failing due to that option not being onored during update_attributes and destroy.
Should this security fix be safe to drop-in?
I’m having a lot of can’t dup NilClass both on my tests (when :through association is involved) and in authologic session creation.
Something is changed in 3.0.4 but I can’t figure out why this error is spawning out and I’m unable to recreate the case in a simple rails app.
TypeError (can’t dup NilClass): app/controllers/user_sessions_controller.rb:13:in `create’
Rolling back to 3.0.3 solved the problems.
Problem with AJAX calls solved: http://brandonaaron.net/blog/2009/02/24/jquery-rails-and-ajax
For “can’t dup NilClass” problem, this is probably the reason and a possible patch:
https://github.com/rails/rails/commit/c8b7606734cc556ae17a9dd5bb12994a3cff6b7e
I’m on rails 2.3.11.
Rails is fine, it has only changed the way accepts_nested_attributes_for and :dependent => :destroy works. It seems it’s skipping some external methods, my mocks aren’t receiving the calls they are expecting.
However if I remove the mocks and use the real objects everything works fine.
Unfortunately the 2.3.11 and 3.0.4 version ARE NOT ONLY a security fix. Why wasn’t this advertised? Wasn’t possible to release two version, one with the security fix and another with the modifications?
In this way some of us could not upgrade in safety, leaving the disclosed security problem exploitable.
It’s a good idea to follow the Rails release milestones to know what is in the update: https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/milestones/current
You are right, Jon. But this blog is the official communication channel, so it should have been crystal clear about what goes into a ‘security patch’. Am I wrong?
Here is a patch:
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
Nice to hear from rails team
@matteo Unless this blog post was updated then it is VERY clear:
First Sentence: “including a number of bugfixes”
nice to hear this
@Michael Noack
I read the post twice, carefully. I have not found a clear statement or a link to one (usually called RELEASENOTES) about the changes.
Look, it’s all free etc. etc. and I have not contributed a single line of code bla bla bla, but THIS criticism is justified. There should be release notes!
There’s also something fishy with the routing? I’m getting loads of no route found with breaking tests on 3.0.4 – works like a charm on 3.0.3?
i have session problems as well. Had to go back to 3.0.3.
Have to wait for an update had no idea how to fix it :)
Having some problems in multi-thread mode as well with 3.0.4. With config.threadsafe! some requests hang and logging seems screwed for concurrent requests. Going back to 3.0.3 works fine as does turning off config.threadsafe!
Hi there, Thanks to Rails team for all the hard work. But … in the nez release there are TWO sets of changes: one about the security which HAD TO be releases IMMEDIATELY, and another one which could come out when tested.
If THIS is the state that the team calls TESTED, I’m sorry guys, this is NOT SERIOUS. And don’t tell THIS IS FREE SO SHUT UP!
There needs to be an improvement process in the release/test process. We have TONS of docs qnd speaches on Green/Red test cycles and … to end up with this … MESS!
And still nobody cares to fix the Rails / Rack Bug that truncates all post requests… Rails is an absolute maintenance nightmare.
There are issues with Rails 3.0.4.
When I updated to 3.0.4 from 3.0.3 my dev setup immediately stopped working:
$ rails s /Users/thomas/.rvm/rubies/ruby-1.9.2-p136/lib/ruby/site_ruby/1.9.1/rubygems.rb:861:in `report_activate_error’: RubyGem version error: builder(3.0.0 not ~> 2.1.2) (Gem::LoadError)
Moving back to Rails 3.0.3 made everything work. Obviously I had made sure that Gemfile.lock, gems and everything were as expected.
A solution for the problem of having people (like me) complain quite noisily ab out errors (see comments above) in FREE software is this: make it absolutely clear to everyone (at the top of every webpage and README for the software) that the FREE version is “beta” and will have bugs.
Each time I complain I’m torn – it’s FREE after all so I should should up… but who got me to use that software in the first place, by putting it up there, providing lots of content, presentations and in general lots of marketing?
Also, still I don’t know what changed in 3.0.4. The only way I see is to install both 3.0.3 and 3.0.4 and run diff-uNr on it. Even the CHANGELOGS in the source code say NOTHING.
Okay, just did that, so here’s the summary of changes between 3.0.3 and 3.0.4:
ACTIONMAILER - nothing
ACTIVESUPPORT - fix docu typo and add some docu - BigDecimal: add to_d method - change a require() path and add a require() - HashWithIndifferentAccess: use “case” instead of “if” - inflections: fix regex - XmlMini_NokogiriSAX optimization
ACTIVEMODEL - class Errors < ActiveSupport::OrderedHash add blank? alias for empty? and add to_hash method - docu improvements - Serializers::XML add a line - Validations::ClassMethods add an “else” branch to raise ArgumentError
ACTIVERESOURCE - nothing
ACTIONPACK (lots of changes) too much for me right here & now
ACTIVERECOPRD (lots of changes) too much for me right here & now
RAILTIES: (only .rb files shown) Files railties-3.0.3/guides/rails_guides/helpers.rb and railties-3.0.4/guides/rails_guides/helpers.rb differ Files railties-3.0.3/guides/source/index.html.erb and railties-3.0.4/guides/source/index.html.erb differ Files railties-3.0.3/guides/source/layout.html.erb and railties-3.0.4/guides/source/layout.html.erb differ Files railties-3.0.3/lib/rails/generators/actions.rb and railties-3.0.4/lib/rails/generators/actions.rb differ Files railties-3.0.3/lib/rails/generators/base.rb and railties-3.0.4/lib/rails/generators/base.rb differ Files railties-3.0.3/lib/rails/generators/rails/app/app_generator.rb and railties-3.0.4/lib/rails/generators/rails/app/app_generator.rb differ Files railties-3.0.3/lib/rails/generators/rails/app/templates/config/boot.rb and railties-3.0.4/lib/rails/generators/rails/app/templates/config/boot.rb differ Files railties-3.0.3/lib/rails/generators.rb and railties-3.0.4/lib/rails/generators.rb differ Files railties-3.0.3/lib/rails/rack/logger.rb and railties-3.0.4/lib/rails/rack/logger.rb differ Files railties-3.0.3/lib/rails/railtie.rb and railties-3.0.4/lib/rails/railtie.rb differ Files railties-3.0.3/lib/rails/test_help.rb and railties-3.0.4/lib/rails/test_help.rb differ Files railties-3.0.3/lib/rails/version.rb and railties-3.0.4/lib/rails/version.rb differ
Tôi gặp vấn đề với session và AJAX, session của tôi bây giờ trở thành trống. Quay về bản 3.0.3 sửa lỗi này.
Hi, doing bundle update rails will delete all your controller/views/models if you do it in your current project.
This wasn’t nice…
I have session problems as well, AJAX requests have empty session object. My jQuery version is 1.5
@MIchael: And the nearly 4 month old Rack params patch is still sitting unloved in the tracker :(
https://rails.lighthouseapp.com/projects/8994/tickets/5873-fix-broken-rack-params-parser-in-rails-236
@Donner So: jQuery 1.51 sẽ sửa lỗi này
@Nguyễn Sinh Cung: Thanks a lot.
thanks rails team, upgrade went smoothly
Would be good to not link your CVE’s to Google Groups, as Chinese users cannot access these links.
Thx.
@Nguyen Sinh Cung: please use English in the conversation because this is a public thread.
I am also having a problem with the routing. Is there a glitch ?
Was about to try and wet my feet on RoR, but seeing this mess with “We strongly urge you to update production Rails applications as soon as possible” and finding out it’s not been properly tested after all, I think I’ll stick to my non-ruby-but-safer tools.
Sugestion: learn to use branches and make security fix releases just that and not “security fix releases with added untested changes that will break your deployed apps”.
I’m also having a problem with 2nd level “accepts_nested_attributes_for”s. The code worked fine, I “updated”, and now it’s broken.
Release notes.
where are they?
Also I cannot find any information about 2.3.10 here, or again any release notes.
So if I take 2.3.11 to fix this security issue what else am I taking?