Good news everyone! Rails version 3.0.13 has been released.
This release of Rails contains two important security fixes:
- CVE-2012-2660 Ruby on Rails Active Record Unsafe Query Generation Risk
- CVE-2012-2661 Ruby on Rails Active Record SQL Injection Vulnerability
It is suggested that all users upgrade immediately. For more information about these issues, please see the annoumcenents on the rubyonrails-security mailing list.
Other changes for this release can be found in each component’s CHANGELOG:
All changes can be found here.
I want to give a special thanks to Ben Murphy for responsibly reporting the two security issues that are fixed in this release. Thank you very much!