ChiliProject 3.5.1 has just been released. This release is a security release to fix a security issue of Rails (CVE-2013-0155) which allows attackers to issue unexpected database queries with
IS NULL or empty
where clauses. The vulnerability does not allow attackers to insert arbitrary values into an SQL query.
Additional details are available in the updated advisory of the Rails project.
This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we recommend that all users of ChiliProject download and install the security release as soon as possible.
Users of the old 2.x release branch, please check the ChiliProject 2.8.1 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.
3.5.1 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:
Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it.
All users running an affected release should either upgrade or use one of the work arounds immediately. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2660, and CVE-2012-2694. Even if you upgraded to address those issues, you must take action again.
The corresponding ChiliProject bug is:
- Security – Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)
How to upgrade
Please follow the Upgrade Guide in our Wiki.