Knowledge Base/News and Notes/Security Updates

January 14, 2013: Security vulnerabilities: httparty, extlib, crack, nori: Update these gems immediately

Tasha Drew
posted this on January 14, 2013 02:50 PM

Researchers investigating the Rails parameter parsing vulnerability discovered that the same or similar vulnerable code had made its way into multiple other libraries. If your application uses these libraries to process untrusted data, it may still be vulnerable even if you have upgraded Rails. Check your Gemfile and Gemfile.lock for vulnerable versions of the following libraries, and if you are using one, update it immediately.

You can update each of these by using "bundle update <gem name>". 

httparty

Vulnerable: <= 0.9.0

Fixed: 0.10.0


extlib

Vulnerable: <= 0.9.15

Fixed: 0.9.16


crack

Vulnerable: <= 0.3.1

Fixed: 0.3.2


nori

Vulnerable: <= 2.0.1, <= 1.1.3, <= 1.0.2

Fixed: 2.0.2, 1.1.4, 1.0.3

 

Comments

User photo
Doug Schlenker
account-4930

yikes, a few of these are really popular gems. I have a feeling we're going to see more gems in the upcoming weeks that have this same issue. Please keep posting these security alerts!

January 14, 2013 03:26 PM
User photo
Ken Richard
Applied Educational Systems

Thanks for keeping us up to date. I would rather have too many emails/notifications than miss something important.

January 15, 2013 05:10 AM