There is a directory traversal vulnerability in Ruby on Rails. This security update contains the following sections:
- Issue - security vulnerability summarized.
- Solution - the recommended solution for most cases.
- Workaround - alternatives in case you cannot upgrade now or have older versions.
- FAQs - frequently asked questions.
- More information - helpful links related to this security vulnerability.
Issue
A security vulnerability was released May 6th, 2014:
Directory traversal vulnerability in Ruby on Rails
There is a directory traversal vulnerability in the 'implicit render' functionality in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0130.
Versions Affected: All supported versions.
Not affected: NONE.
Fixed Versions: 4.1.1, 4.0.5, 3.2.18
Solution
Upgrade Ruby on Rails to the following versions: 4.1.1, 4.0.5, 3.2.18.
Note: We understand that you may not be able to upgrade your version of Ruby on Rails. In this case, implement the workaround described in the next section.
Workaround
If you are not able to upgrade soon you can apply one of the patches attached to the original CVE-2014-0130 advisory:
- 4-1-directory_traversal.patch - Patch for 4.1 series
- 4-0-directory_traversal.patch - Patch for 4.0 series
- 3-2-directory_traversal.patch - Patch for 3.2 series
FAQs
How can I tell which versions I have now?
You can verify the versions you are using with:
machine user$ bundle list rails
More information
| For more information about ... | See ... |
|---|---|
|
The amended announcement |
CVE-2014-0130 AMENDED |
|
The original announcement with the workaround patches |
CVE-2014-0130 |
|
Ruby on Rails releases |
RoR releases |
If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.
Comments
Please sign in to leave a comment.