ChiliProject 2.7.4 has just been released. This release is a security release to fix two XSS vulnerabilities (CVE-2012-3464, CVE-2012-3465) and a SQL injection vulnerability (CVE-2012-5664) of Rails. All these bugs were fixed in Rails, we have included the fixes from Rails or backported them to the version of Rails ChiliProject uses right now.
This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.4.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.
2.7.4 includes three security fixes which were backported from ChiliProject 3.4.0.
- Security – Bug #1113: Potential XSS Vulnerability in Ruby on Rails
- Security – Bug #1114: XSS Vulnerability in strip_tags
- Security – Bug #1195: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)
The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.4.0.