Ruby on Rails 4.0.3, 3.2.17 and 4.1.0.beta2 have been released. The latest releases address a total of three vulnerabilities.
According to the developers, the vulnerabilities fixed in 3.2.17 have the following identifiers: CVE-2014-0081 and CVE-2014-0082. In Ruby 4.0.3, the issues with the CVE-2014-0080 and CVE-2014-0081 identifiers have been addressed.
In 4.1.0.beta2, the list of security fixes includes CVE-2014-0080 and CVE-2014-0081.
CVE-2014-0080 is a data injection vulnerability impacting Active Record. The flaw can be exploited to add data to array columns in PostgreSQL databases.
CVE-2014-0081 refers to a cross-site scripting (XSS) vulnerability in the “number_to_currency,” “number_to_percentage” and “number_to_human” helpers.
Finally, CVE-2014-0082 is a denial-of-service (DOS) issue in Action View. More precisely, the bug impacts the text rendering component in Action View.
Users are advised to update their installations as soon as possible. You can download Ruby on Rails, the latest versions, from Softpedia.