ChiliProject 3.6.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0333) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.16, which is included in this release of ChiliProject.
This release contains 1 other bug fix and no new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.
Users of the old 2.x release branch, please check the ChiliProject 2.9.0 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.
3.6.0 contains 1 security fix for Rails and 1 bug fix. To quote the impact section from the announcement to the Rails security list:
The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends. One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML.
All users running an affected application should upgrade or use the workaround immediately.
The corresponding ChiliProject bugs are:
- Bug #1216: “Only for things I watch or I’m involved in” sends notifications only for issues
- Security – Bug #1219: Vulnerability in JSON Parser in Ruby on Rails (CVE-2013-0333)
How to upgrade
Please follow the Upgrade Guide in our Wiki. Make sure to run
bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.