ChiliProject 3.2.2 released

ChiliProject 3.2.2 has just been released. This release is a security release to fix two security issues of Rails (CVE-2012-2694 and CVE-2012-2695) which allowe attackers to inject certain forms of SQL into the database queries generated by ChiliProject. The bugs were fixed in Rails 3.2.6. We have backported them to the version of Rails we use right now.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.

Users of the old 2.x release branch, please check the 2.7.3 release which includes the security fixes. User still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

We apologize for the unusual large number of patch releases lately. The vulnerabilities fixed in the this and the last release are located in Ruby on Rails, a Web framework we use as the basis for ChiliProject. The bugs were announced by Rails and are thus publicly known. As we strive to keep our users as secure as possible we thus release security updates as fast as we can to allow responsible administrators to update their installations in a timely fashion and keep their systems secure.

Download ChiliProject 3.2.2

What’s included

3.2.2 includes two security fixes

  • Bug #1036: Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
  • Bug #1037: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2695)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

About Holger Just

Half-time Ruby and Rails developer and half-time friendly operations guy, I try to improve the world one step at a time, striving for perfection along the way. You can follow me on Twitter or subscribe to my blog.

, ,

  • https://openid.stackexchange.com/user/3255ad94-4ec1-44d9-86d4-dfaad0fdb096 enno@groeper-berlin.de

    Thanks for the good work!
    I really appreciate it, that you are backporting the Rails security fixes.

  • Pingback: ChiliProject 3.3.0 released | ChiliProject Blog