ChiliProject 3.5.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0156) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.15, which is included in this release of ChiliProject.
This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.
Users of the old 2.x release branch, please check the ChiliProject 2.8.0 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.
3.5.0 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:
The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.
Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds immediately.
The corresponding ChiliProject bug is:
- Security – Bug #1200: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)
This was also reported as Bug #1201 by Roger Hunwicks, thanks for that!
How to upgrade
Please follow the Upgrade Guide in our Wiki. Make sure to run
bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.