Ruby on Rails new version 3.2.7 fixes CVE-2012-3424, a worrisome security vulnerability that opens up denial of service attacks to Web applications that use RoR’s digest authentication.
The issue affects systems using the Action Pack digest authentication, typified by the use of the “with_http_digest” controller helper methods such as authenticate_or_request_with_http_digest. There are, according to the advisory, no workarounds for the issue which also affects Rails 3.0 and 3.1. The developers recommend that users upgrade immediately.
Details on the fix, along with code samples, are on Google’s Ruby on Rails group, here.
- Rails 3.2.7 released with denial of service fix [H-Online]
- Rails version 3.2.7 has been released! [RubyonRails.org]