42

Problem
After the announcements in the previous posts about the security vulnerabilities in Rails 3.0.3, you would like to update your application and deploy with the latest 3.0.4 version.

Solution

• Change your Gemfile to replace
  gem 'rails', '3.0.3'
  with
  gem 'rails', '3.0.4'
• Run:
  bundle update rails
• Remove the old gems by using:
  git status
  and then
  git rm name_of_3.0.3_gem
• Add the new gems to your git
  git add vendor/cache
• Check in to your repository the new files
  git commit vendor/cache -m 'upgrade to rails 3.0.4'
• Make sure that you also check in both your Gemfile and Gemfile.lock into your git repository
  git commit Gemfile Gemfile.lock -m 'update Gemfiles to use 3.0.4'
  otherwise when you try to deploy you will see the error:
  You have modified your Gemfile in development but did not check the resulting snapshot (Gemfile.lock) into version control
• push everything to your git repository:
  git push
• Deploy your application with capistrano as usual:
  cap deploy
• Your new gems for 3.0.4 should be installed on the share/bundle folder

Security announcement about potential SQL injection with limit().

Full details here.

Versions affected 3.0.0 to 3.0.3.

Security announcement about filtering problems on case insensitive filesystems.

Full details here

Versions affected 3.0.0 to 3.0.3

Security announcement about potential XSS problem with mail_to :encode => :javascript.

Full details here

Versions affected 2.x.x and 3.0.x

Security announcement about CSRF protection bypass.

Full details here

Affected versions 2.x.x and 3.0.x

Problem
You need to install OpenLDAP for testing the authentication against LDAP, but the command line utility ldapsearch is not installed in your system.

Solution
You would need to install Mandriva’s openldap-clients package that includes the ldapsearch:

sudo urpmi openldap-clients